CISA Exam Preparation Note

Domain - 01
The Process of Auditing Information Systems

Covering Area: Approximately 21% of the CISA examination

Covering Question: Approximately 32 questions

MD. JAHANGIR ALAM, CISA

jahangircsebd@gmail.com
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Domain 1 — The Process of Auditing Information Systems
“Provide audit services in accordance with IT audit standards to assist the organization in protecting and controlling
information systems.”
Domain 1 —Task Statements:
1.1. Execute a risk-based IS audit strategy in compliance with IS audit standards to ensure that key risk areas are audited.
1.2. Plan specific audits to determine whether information systems are protected, controlled and provide value to the
organization.
1.3. Conduct audits in accordance with IS audit standards to achieve planned audit objectives.
1.4. Communicate audit results and make recommendations to key stakeholders through meetings and audit reports to
promote change when necessary.
1.5. Conduct audit follow-ups to determine whether appropriate actions have been taken by management in a timely
manner.
Domain 1 —Knowledge Statements:
1.1 Knowledge of ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques, Code of Professional
Ethics and other applicable standards
1.2 Knowledge of the risk assessment concepts and tools and techniques used in planning, examination, reporting and
follow-up
1.3 Knowledge of fundamental business processes (e.g., purchasing, payroll, accounts payable, accounts receivable) and
the role of IS in these processes
1.4 Knowledge of the control principles related to controls in information systems
1.5 Knowledge of risk-based audit planning and audit project management techniques, including follow-up
1.6 Knowledge of the applicable laws and regulations that affect the scope, evidence collection and preservation, and
frequency of audits
1.7 Knowledge of the evidence collection techniques (e.g., observation, inquiry, inspection, interview, data analysis,
forensic investigation techniques, computer-assisted audit techniques [CAATs]) used to gather, protect and preserve
audit evidence
1.8 Knowledge of different sampling methodologies and other substantive/data analytical procedures
1.9 Knowledge of reporting and communication techniques (e.g., facilitation, negotiation, conflict resolution, audit report
structure, issue writing, management summary, result verification)
1.10 Knowledge of audit quality assurance (QA) systems and frameworks
1.11 Knowledge of various types of audits (e.g., internal, external, financial) and methods for assessing and placing reliance
on the work of other auditors or control entities

Page 2 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com

Details Study
1.1 Management of IS Audit Function
Ensure the audit team –
i) will fulfill audit function objectives,
ii) preserve audit independence and competence
Managing the audit function should ensure value added contributions to senior management regarding –
i) the efficient management of IT and
ii) achievement of business objectives.

1.1.1 Organization of IS Audit Function

IS Audit services can be provided –
i) Externally or
ii) Internally
For Internal IS Audit:
Internal IS Audit begins with the acceptance of an Audit Charter approved by –
i) Audit Committee or
ii) Higher level of management
Audit charter
 An audit charter establishes the role of the IS audit function.
 The audit charter may include IS audit as an audit support function.
 The audit charter should clearly state –
o Management’s responsibility and objectives for, and delegation of authority to, the IS audit function
o Outlining the overall authority, scope and responsibilities of the audit function
 The audit charter should include:
o A clear statement of management's responsibility and objectives for the audit function
o Management's delegation of authority to the audit function
o The overall authority, scope and responsibilities of the audit function
o The reporting lines and relationships
o A definition of the organizational independence of the internal audit, including accountability of the audit
and provision for objective assessment of its resource requirements
o A recognition of the control environment of the organization (operations, resources, services,
responsibilities to external entities)
o The internal audit's right of access to all records, assets, personnel and premises, including those of partner
organizations
o The internal audit's authority to obtain the information and explanations it considers necessary to fulfill its
responsibilities
 Once approved, the charter should changed only if justified.

ISACA IT Audit and Assurance Standards

S1 – Audit Charter

>> The purpose, responsibility, authority and accountability of the IS audit function or IS audit assignments should be
appropriately documented in an audit charter or engagement letter.

>> The audit charter or engagement letter should be agreed and approved at an appropriate level within the organization(s).

Page 3 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
For External IS Audit:
For external IS audit, there should be a formal contact or statement of work with –
i) The Scope and
ii) The Objectives
IS audit can be –
i) Part of Internal Audit,
ii) Function as an independent group, or
iii) Integrated with a financial and operational audit.
The Audit (Internal & External) should –
i) Be independent, and
ii) Report to an audit committee or the board of director.

1.1.2 IS Audit Resource Management

IS Auditor should –
i) Update existing skills, and
ii) Obtain training towards new audit technique and technology area.
Detailed staff training, once a year should arrange addressing technology and related risks.

1.1.3 Audit Planning

 Audit planning consists of both –
i) Short term planning:
Takes into account audit issues that will be covered during the year.
ii) Long term planning
Take into account risk-related issues regarding change in IT strategy.
 Audit universe should –
Include all the relevant process.
 An overall criteria may be defined by determining the overall risk of each process.
o A Qualitative / Quantitative risk assessment need for the listed process.
o Risk factor based on –
 The frequency, and / or
 Business impact
o Input for risk evaluation should taken from business owner of the process.
o Risk value –
 High: Damage reputation which takes more than 6 months to resolve.
 Medium: Damage reputation which takes less than 6 months, but more than 3 months to
resolve.
 Low: Damage reputation which takes less than 3 months to resolve.
; where time is taken from the business owner.
 Analysis of short- and long-term issues should occur at least annually. Things to consider:
o New control issues
o Changing technologies
o Changing business processes
o Enhanced evaluation techniques
 The annual planning should be updated if any key aspects of the risk environment have changes, like
o Acquisition
o New regulatory issues
o Market conditions
o Based on concerns of management or areas of higher risk

Page 4 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
 Process failures
 Financial operations
 Compliance requirements
 Individual audit assignments
o In annual planning, each individual audit assignment must be adequately planned.
o The IS auditor should understand considerations that may impact the overall approach to the audit,
like –
 Results of periodic risk assessments
 Changes in the application of technology, and
 Evolving privacy issues and regulatory requirements
o The IS auditor should also take into considerations of –
 System implementation/upgrade deadlines
 Current and future technologies
 Requirements from business process owners, and
 IS resource limitations
 Audit Planning Steps
1. Gain an understanding of the business’s mission, objectives, purpose and processes, which include
information and processing requirements such as availability, integrity, security and business technology,
and information confidentiality.
2. Understand changes in business environment of the auditee.
3. Review prior work papers.
4. Identify stated contents such as policies, standards and required guidelines, procedures and organization
structure
5. Perform a risk analysis to help in designing the audit plan.
6. Set the audit scope and audit objectives.
7. Develop the audit approach or audit strategy.
8. Assign personnel resources to the audit
9. Address engagement logistics.

1.1.4 Effect of Laws and Regulations on IS Audit Planning

 Regulatory requirements
o Establishment
o Organization
o Responsibilities
o Correlation to financial, operational and IT audit functions
 Steps to determine compliance with external requirements:
o Identify external requirements
o Document pertinent laws and regulations
o Assess whether management and the IS function have considered the relevant external requirements
o Review internal IS department documents that address adherence to applicable laws
o Determine adherence to established procedures
1.2 ISACA IT Audit and Assurance Standards and Guidelines

1.2.1 ISACA code of professional ethics

Members and ISACA certification holders shall:
1. Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls
for information systems.
2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional
standards and best practices.
3. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of
conduct and character, and not engage in acts discreditable to the profession.

Page 5 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
4. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is
required by legal authority. Such information shall not be used for personal benefit or released to inappropriate
parties.
5. Maintain competency in their respective fields and agree to undertake only those activities that they can
reasonably expect to complete with professional competence.
6. Inform appropriate parties of the results of work performed, revealing all significant facts known to them.
7. Support the professional education of stakeholders in enhancing their understanding of IS security and control.

Compliance: The act of conformity undertaken due to the trepidation of legal or regulatory sanctions, financial loss, or damage
to reputation and franchise value that may arise when an organization fails to comply with laws, regulations, standards or codes
of conduct of self-regulatory organizations applicable to the business activities and functions within the organization.

Ethics: A code of core values that guides our choices and actions, and determines the purpose and course of our organization and
lives. Standards of duty and virtue that indicate how we should behave.

IS Audit Expert

>> A common misconception is that the standards, guidelines and procedures are absolute. They are not. Appropriate
consideration must be given to local operating conditions, economy, culture, technical competencies and other similar factors.

>> In providing recommendations to management, you are expected to exercise professional judgment, and weigh the nature
and magnitude of risks and costs to the organization related to management's adherence to standards, guidelines and
procedures.

Standards: A metric used to determine the correctness of a thing or process; a set of rules or specifications that, when taken
together, define a software or hardware device. A standard is also an acknowledged basis for comparing or measuring something.

Guidelines: A suggested action or recommendation related to an area of information security policy that is intended to
supplement a procedure. Unlike standards, implementation of guidelines may be at the discretion of the reader.

Procedures: A detailed description of the steps necessary to perform specific operations in conformance with applicable
standards.

1.2.2 ISACA IT Audit and Assurance Standards Framework

Auditing Standards
The ISACA standards relate to a number of aspects of the IS audit process.
S1 – Audit Charter

 The purpose, responsibility, authority and accountability of the IS audit function or IS audit assignments should be
appropriately documented in an audit charter or engagement letter.
 The audit charter or engagement letter should be agreed and approved at an appropriate level within the
organization(s).
S2 – Independence (Professional and Organizational)

 Professional Independence: In all matters related to the audit, the IS auditor should be independent of the auditee
in both attitude and appearance.
 Organizational Independence: The IS audit function should be independent of the area or activity being reviewed
to permit objective completion of the audit assignment.
S3 – Professional Ethics and Standards

 The IS auditor should adhere to the ISACA Code of Professional Ethics.

 The IS auditor should exercise due professional care, including observance of applicable professional auditing
standards.
S4 – Professional Competence

 The IS auditor should be professionally competent, having the skills and knowledge to conduct the audit assignment.
 The IS auditor should maintain professional competence through appropriate continuing professional education and
training.

Page 6 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
S5 – Planning

 The IS auditor should plan the information systems audit coverage to address the audit objectives and comply with
applicable laws and professional auditing standards.
 The IS auditor should develop and document a risk-based audit approach.
 The IS auditor should develop and document an audit plan detailing the nature and objectives, timing, extent and
resources required.
 The IS auditor should develop an audit program and procedures.
Audit objective: The specific goal(s) of an audit. These often center on substantiating the existence of internal
controls to minimize business risk.
Audit program: A step-by-step set of audit procedures and instructions that should be performed to complete an
audit.
S6 – Performance of Audit Work
Supervision – IS audit staff should be supervised to provide reasonable assurance that audit objectives are accomplished and
applicable professional auditing standards are met.
Evidence – During the course of the audit, the IS auditor should obtain sufficient, reliable and relevant evidence to achieve
the audit objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this
evidence.
Documentation – The audit process should be documented, describing the audit work and the audit evidence that supports
the IS auditor's findings and conclusions.

Evidence: The information an auditor gathers in the course of performing an IS audit. Evidence is relevant if it pertains to the
audit objectives and has a logical relationship to the findings and conclusions it is used to support.

S7 – Reporting

 The IS auditor should provide a report, in an appropriate form, upon completion of the audit. The report should
identify the organization, the intended recipients and any restrictions on circulation.
 The audit report should state the scope, objectives, period of coverage and the nature, timing and extent of the audit
work performed.
 The report should state the findings, conclusions and recommendations and any reservations, qualifications or
limitations in scope that the IS auditor has with respect to the audit.
 The IS auditor should have sufficient and appropriate audit evidence to support the results reported.
 When issued, the IS auditor's report should be signed, dated and distributed according to the terms of the audit
charter or engagement letter.
S8 – Follow-up Activities

 After the reporting of findings and recommendations, the IS auditor should request and evaluate relevant
information to conclude whether appropriate action has been taken by management in a timely manner.
S9 – Irregularities and Illegal Acts

 In planning and performing the audit to reduce audit risk to a low level, the IS auditor should consider the risk of
irregularities and illegal acts.
 The IS auditor should obtain sufficient and appropriate audit evidence to determine whether management or others
within the organization have knowledge of any actual, suspected or alleged irregularities and illegal acts.
 When performing audit procedures to obtain an understanding of the organization and its environment, the IS
auditor should consider unusual or unexpected relationships that may indicate a risk of material misstatements due
to irregularities and illegal acts.
 The IS auditor should design and perform procedures to test the appropriateness of internal control and the risk of
management overriding controls.

Page 7 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
 When the IS auditor identifies a misstatement, the IS auditor should assess whether such a misstatement may be
indicative of an irregularity or illegal act. If there is such an indication, the IS auditor should consider the implications
in relation to other aspects of the audit and, in particular, the representations of management.
 The IS auditor should obtain written representations from management at least annually or more frequently
depending on the audit engagement. It should:
o Acknowledge its responsibility for the design and implementation of internal controls to prevent and detect
irregularities or illegal acts.
o Disclose to the IS auditor the results of the risk assessment that a material misstatement may exist as a
result of an irregularity or illegal act.
o Disclose to the IS auditor its knowledge of irregularities or illegal acts affecting the organization in relation
to management and employees who have significant roles in internal control.
 The IS auditor should have knowledge of any allegations of irregularities or illegal acts, or suspected irregularities or
illegal acts, affecting the organization as communicated by employees, former employees, regulators and others.
 If the IS auditor has identified a material irregularity or illegal act, or obtains information that a material irregularity
or illegal act may exist, the IS auditor should communicate these matters to the appropriate level of management in
a timely manner.
 If the IS auditor has identified a material irregularity or illegal act involving management or employees who have
significant roles in internal control, the IS auditor should communicate these matters in a timely manner to those
charged with governance.
 The IS auditor should advise the appropriate level of management and those charged with governance of material
weaknesses in the design and implementation of internal control to prevent and detect irregularities and illegal acts
that may have come to the IS auditor's attention during the audit.
 If the IS auditor encounters exceptional circumstances, such as a material misstatement or illegal act, that affect the
IS auditor's ability to continue performing the audit, the IS auditor should consider the legal and professional
responsibilities applicable in the circumstances, including whether there is a requirement for the IS auditor to report
to those who entered into the engagement or, in some cases, those charged with governance or regulatory
authorities, or consider withdrawing from the engagement.
 The IS auditor should document all communications, planning, results, evaluations and conclusions relating to
material irregularities and illegal acts that have been reported to management, those charged with governance,
regulators and others.
S10 – IT Governance

 The IS auditor should review and assess whether the IS function aligns with the organization's mission, vision,
values, objectives and strategies.
 The IS auditor should review whether the IS function has a clear statement about the performance expected by the
business (effectiveness and efficiency) and assess its achievement.
 The IS auditor should review and assess the effectiveness of IS resource and performance management processes.
 The IS auditor should review and assess compliance with legal, environmental and information quality, and fiduciary
and security requirements.
 A risk-based approach should be used by the IS auditor to evaluate the IS function.
 The IS auditor should review and assess the control environment of the organization.
 The IS auditor should review and assess the risks that may adversely affect the IS environment.
S11 – Use of Risk Assessment in Audit Planning

 The IS auditor should use an appropriate risk assessment technique or approach in developing the overall IS audit
plan and determining priorities for the effective allocation of IS audit resources.
 When planning individual reviews, the IS auditor should identify and assess risks relevant to the area under review.
S12 – Audit Materiality

 The IS auditor should consider audit materiality and its relationship to audit risk while determining the nature, timing
and extent of audit procedures.

Page 8 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
 While planning for audit, the IS auditor should consider potential weakness or absence of controls and whether such
weakness or absence of control could result into significant deficiency or a material weakness in the information
system.
 The IS auditor should consider the cumulative effect of minor control deficiencies or weaknesses and absence of
controls to translate into significant deficiency or material weakness in the information system.
 The report of the IS auditor should disclose ineffective controls or absence of controls and the significance of the
control deficiencies and possibility of these weaknesses resulting in a significant deficiency or material weakness.
S13 – Using the Work of Other Experts

 The IS auditor should, where appropriate, consider using the work of other experts for the audit.
 The IS auditor should assess and be satisfied with the professional qualifications, competencies, relevant experience,
resources, independence and quality control processes of other experts, prior to engagement.
 The IS auditor should assess, review and evaluate the work of other experts as part of the audit and conclude the
extent of use and reliance on expert’s work.
 The IS auditor should determine and conclude whether the work of other experts is adequate and complete to enable
the IS auditor to conclude on the current audit objectives. Such conclusion should be clearly documented.
 The IS auditor should apply additional test procedures to gain sufficient and appropriate audit evidence in
circumstances where the work of other experts does not provide sufficient and appropriate audit evidence.
 The IS auditor should provide appropriate audit opinion and include scope limitation where required evidence is not
obtained through additional test procedures.
S14 – Audit Evidence

 The IS auditor should obtain sufficient and appropriate audit evidence to draw reasonable conclusions on which to
base the audit results.
 The IS auditor should evaluate the sufficiency of audit evidence obtained during the audit.
S15 – IT Controls

 The IS auditor should evaluate and monitor IT controls that are an integral part of the internal control environment of
the organization.
 The IS auditor should assist management by providing advice regarding the design, implementation, operation and
improvement of IT controls.
S16 – E-commerce

 The IS auditor should evaluate applicable controls and assess risk when reviewing e-commerce environments to
ensure that e-commerce transactions are properly controlled.

1.2.3 ISACA IT Audit and Assurance Guidelines

The purpose of ISACA IT Audit and Assurance Guidelines is to provide information that will allow the auditor to perform audits
in accordance with the IS Auditing Standards.
There are 40 guidelines in total. The following are the key guidelines that pertain to the IS audit process
G1 – Using the Work of Other Auditors and Experts, effective 1 March 2008
G2 – Audit Evidence Requirement, effective 1 December 1998
G3 – Use of Computer-Assisted Audit Techniques (CAATs), effective 1 March 2008
G4 – Outsourcing of IS Activities to Other Organisations, effective 1 September 1999
G5 – Audit Charter, effective 1 February 2008
G6 – Materiality Concepts for Auditing Information Systems, effective 1 September 1999
G7 – Due Professional Care, effective 1 March 2008
G8 – Audit Documentation, effective 1 March 2008

Page 9 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
G9 – Audit Considerations for Irregularities, effective 1 March 2000
G10 – Audit Sampling, effective 1 March 2000
G11 – Effect of Pervasive IS Controls, effective 1 March 2000
G12 – Organizational Relationship and Independence, effective 1 September 2000
G13 – Use of Risk Assessment in Audit Planning, effective 1 September 2000
G14 – Application Systems Review, effective 1 November 2001
G15 – Planning Revised, effective 1 March 2002
G16 – Effect of Third Parties on an Organization's IT Controls, effective 1 March 2002
G17 – Effect of Nonaudit Role on the IS Auditor's Independence, effective 1 July 2002
G18 – IT Governance, effective 1 July 2002
G20 – Reporting, effective 1 January 2003

1.2.4 ISACA IT Audit and Assurance Tools and Techniques

The procedures provide specific steps to enable you to implement the auditing standards.
The tools and techniques for IS auditing include:
P1 – IS Risk Assessment Measurement, effective 1 July 2002
P2 – Digital Signatures, effective 1 July 2002
P3 – Intrusion Detection, effective 1 August 2003
P4 – Viruses and Other Malicious Code, effective 1 August 2003
P5 – Control Risk Self-assessment, effective 1 August 2003
P6 – Firewalls, effective 1 August 2003
P7 – Irregularities and Illegal Acts, effective 1 November 2003
P8 – Security Assessment – Penetration Testing and Vulnerability Analysis, effective 1 September 2004
P9 – Evaluation of Management Controls Over Encryption Methodologies, effective 1 January 2005
P10 – Business Application Change Control, effective 1 October 2006
P11 – Electronic Funds Transfer (EFT), effective 1 May 2007

1.3 Risk Analysis

Risk- Based Auditing
A Quick Review of Risk Assessment and Mitigating Controls
Definition of Risk
 Risk is the likelihood of a threat exploiting a vulnerability and the resulting impact on business mission
 Risk assessment must be based on business requirements, not solely on information systems
Purpose of Risk Management
 Risk Assessment
 Identify and prioritize risk
 Recommend risk-based controls
 Risk Mitigation
 Reduce risk

Page 10 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
 Accept risk
 Transfer risk
 Avoid risk
 Ongoing assessment of risk levels and control effectiveness

Risk Management

Identify Business
Objectives (BO)

Perform Periodic Identify Business

Risk Reevaluation Assets that Support
(BO, RA, RM, RT) the BO

Perform Risk Perform Risk Assess

Treatment (RT) (RA) [Threat –
[Treat existing risks Vulnerability –
not mitigated by Probability –
existing controls] Impact]

Perform Risk
Mitigation (RM)
[Map Risks with
controls in place]

Purpose of Risk Analysis

 Identity threats and vulnerabilities
 Helps auditor evaluate countermeasures / controls.
 Helps auditor decide on auditing objectives.
 Support Risk- Based auditing decision.
 Leads to implementation of internal controls.

Why Use Risk Based Auditing

 Enables management to effectively allocate limited audit resources
 Ensures that relevant information has been obtained from all levels of management
 Establishes a basis for effectively managing the audit plans
 Provides a summary of how the individual audit subject is related to the overall organization as well as to the business
plan

Page 11 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Risk Assessment and Treatment
Assessing security risks
 Risk assessments should identify, quantify and prioritize risks against criteria for risk acceptance and objectives relevant
to the organization
 Performed periodically to address changes in:
 The environment
 Security requirements and when significant changes occur
Treating security risks
 Each risk identified in a risk assessment needs to be treated in a cost-effective manner according to its level of risk
 Controls should be selected to ensure that risks are reduced to an acceptable level

1.4 Internal Controls

General Controls
Apply to all areas of an organization and include policies and practices established by management to provide reasonable
assurance that specific objectives will be achieved.
Internal Controls
 Policies, procedures, practices and organizational structures implemented to reduce risks
 Classification of internal controls
 Preventive controls
 Detective controls
 Corrective controls

Areas of Internal Control

Internal control system
 Internal accounting controls
 Operational controls
 Administrative controls
IS Controls Versus Manual Controls
Internal control objectives apply to all areas, whether manual or automated. Therefore, conceptually, control objectives in an
IS environment remain unchanged from those of a manual environment.

IS Controls
 Strategy and direction
 General organization and management
 Access to IT resources, including data and programs
 Systems development methodologies and change control
 Operations procedures
 Systems programming and technical support functions
 Quality assurance procedures
 Physical access controls
 Business continuity/disaster recovery planning
 Networks and communications
 Database administration
 Protection and detective mechanisms against internal and external attacks

Page 12 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Internal control objectives
 Safeguarding of IT assets
 Compliance to corporate policies or legal requirements
 Input
 Authorization
 Accuracy and completeness of processing of data input/transactions
 Output
 Reliability of process
 Backup/recovery
 Efficiency and economy of operations
 Change management process for IT and related systems

Assessing and Implementing Countermeasures

 Cost
 Assess management’s tolerance for risk
 Effectiveness at mitigating Risk

Types of Tests for IS Controls

 Use of audit software to survey the contents of data files
 Assess the contents of operating system parameter files
 Flow-charting techniques for documenting automated applications and business process
 Use of audit reports available in operation systems
 Documentation review
 Observation

1.5 Performing an IS Audit

1.5.1 Classification of Audits
 Financial audits
 Operational audits
 Integrated audits
 Administrative audits
 IS audits
 Specialized audits
 Forensic audits

1.5.2 Audit Programs

Definition of auditing
Systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding
assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to
which the assertion conforms to an identified set of standards.

Definition of Information Systems Auditing

Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related
non-automated processes and the interfaces between them.

Page 13 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Audit Objectives
 An audit compares (measures) actual activity against standards and policy
 Specific goals of the audit
 Confidentiality
 Integrity
 Reliability
 Availability
 Compliance with legal and regulatory requirements
Elements of an Audit
 Audit scope
 Audit objectives
 Criteria
 Audit procedures
 Evidence
 Conclusions and opinions
 Reporting
Creating the Plan for an Audit
1. Gather Information
2. Identify System and Components
3. Assess Risk
4. Perform Risk Analysis
5. Conduct Internal Control Review
6. Set Audit Scope and Objectives
7. Assign Resources
8. Develop Auditing Strategy
Planning the Audit
 Based on the scope and objective of the particular assignment
 IS auditor’s concerns:
 Security (confidentiality, integrity and availability)
 Quality (effectiveness, efficiency)
 Fiduciary (compliance, reliability)
 Service and capacity
Phases of an Audit
 Audit subject
 Audit objective
 Audit scope
 Pre-audit planning
 Audit procedures and steps for data gathering
 Procedures for evaluating the test or review results
 Procedures for communication with management
 Audit report preparation
Audit Workpapers
 Audit plans
 Audit programs
 Audit activities
 Audit tests
 Audit findings and incidents

Page 14 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Audit Procedures
 Understanding of the audit area/subject
 Risk assessment and general audit plan
 Detailed audit planning
 Preliminary review of audit area/subject
 Evaluating audit area/subject
 Verifying and evaluating controls
 Compliance testing
 Substantive testing
 Reporting (communicating results)
 Follow-up

1.5.3 Audit Methodology

A set of documented audit procedures designed to achieve planned audit objectives
 Composed of:
 Statement of scope
 Statement of audit objectives
 Statement of audit programs
 Set up and approved by the audit management
 Communicated to all audit staff
Forensic Audits
 Audits specifically related to a crime or serious incident
 Determine
 Scope of incident
 Root cause
 Personnel and systems involved
 Obtain and examine evidence
 Report for further action

1.5.4 Fraud Detection

 Fraud detection is Management’s responsibility
 Benefits of a well-designed internal control system
 Deterring fraud at the first instance
 Detecting fraud in a timely manner
 Fraud detection and disclosure
 Auditor’s role in fraud prevention and detection

1.5.5 Risk-Based Auditing

Performing an Audit Risk Assessment
 Identify
 Business risks
 Technological risks
 Operational risks

Page 15 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
A Risk Based Audit Approach

Gather Data
and Plan for
the Audit

Evaluate the
Perform the
Internal
Audit
Control

Conduct Perform
Substating Compliance
Testing Testing

Risk-based Auditing

Gather Information and Plan;

•Knowledge of business and industry

•Prior year’s audit results
•Recent financial information
•Regulatory statutes
•Inherent risk assessments

Obtain Understanding of Internal Control;

•Control environment
•Control procedures
•Detection risk assessment
•Control risk assessment
•Equate total risk

Perform Compliance Tests;

•Identify key controls to be tested

•Perform tests on reliability, risk prevention, and adherence to organizational policies and
procedures

Perform Substantive Tests;

•Analytical procedures
•Detailed tests of account balances
•Other substantive audit procedures

Conclude the Audit;

•Create recommendations
•Write audit report

Page 16 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Performing the Audit
ISACA IT Audit and Assurance Tools and Techniques
 Procedures developed by the ISACA Standards Board provide examples of possible processes an IS auditor might follow in
an audit engagement
 The IS auditor should apply their own professional judgment to the specific circumstances
ISACA IT Audit and Assurance Standards Framework
Framework for the ISACA IS Auditing Standards:
 Standards
 Guidelines
 Procedures
Relationship Among Standards, Guidelines and Tools and Techniques
Standards
 Must be followed by IS auditors
Guidelines
 Provide assistance on how to implement the standards
Tools and Techniques
 Provide examples for implementing the standards
Evidence
It is a requirement that the auditor’s conclusions be based on sufficient, competent evidence:
 Independence of the provider of the evidence
 Qualification of the individual providing the information or evidence
 Objectivity of the evidence
 Timing of the evidence
Gathering Evidence
Techniques for gathering evidence:
 Review IS organization structures
 Review IS policies and procedures
 Review IS standards
 Review IS documentation
 Interview appropriate personnel
 Observe processes and employee performance
Sampling
General approaches to audit sampling:
 Statistical sampling
 Non-statistical sampling
Compliance vs. Substantive Testing
 Compliance test
 Determines whether controls are in compliance with management policies and procedures
 Substantive test
 Tests the integrity of actual processing
 Correlation between the level of internal controls and substantive testing required
 Relationship between compliance and substantive tests

Page 17 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Testing Controls

Review the system to identify controls

Test compliance to determine whether controls are functioning.

Evaluate the controls to determine the basis for reliance and the
nature, scope and timing of substantive tests.

Use two types of substantive tests to evaluate the validity of the data.

Perform analytic review

Test balance and transactions
procedures

Integrated Auditing

Process whereby appropriate audit disciplines are combined

to assess key internal controls over an operation, process or Operational
entity. Audit

 Focuses on risk to the organization (for an internal

auditor)
Financial
 Focuses on the risk of providing an incorrect or IS Audit
Audit
misleading audit opinion (for an external auditor)

Using the Services of Other Auditors and Experts

Considerations when using services of other auditors and experts:
 Audit charter or contractual stipulations
 Impact on overall and specific IS audit objectives
 Impact on IS audit risk and professional liability
 Independence and objectivity of other auditors and experts
 Professional competence, qualifications and experience
 Scope of work proposed to be outsourced and approach
 Supervisory and audit management controls
 Method of communicating the results of audit work
 Compliance with legal and regulatory stipulations
 Compliance with applicable professional standards

Page 18 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Audit Risk
 Inherent Risk
 Control Risk
 Overall Audit Risk
 Detection Risk

Computer-assisted Audit Techniques

 CAATs enable IS auditors to gather information independently
 CAATs include:
 Generalized audit software (GAS)
 Utility software
 Debugging and scanning software
 Test data
 Application software tracing and mapping
 Expert systems
 Features of generalized audit software (GAS):
 Mathematical computations
 Stratification
 Statistical analysis
 Sequence checking
 Functions supported by GAS:
 File access
 File reorganization
 Data selection
 Statistical functions
 Arithmetical functions
 CAATs as a continuous online audit approach:
 Improves audit efficiency
 IS auditors must:
o Develop audit techniques for use with advanced computerized systems
o Be involved in the design of advanced systems to support audit requirements
o Make greater use of automated tools

Audit Analysis and Reporting

Audit Documentation
Audit documentation includes:
 Planning and preparation of the audit scope and objectives
 Description on the scoped audit area
 Audit program
 Audit steps performed and evidence gathered
 Other experts used
 Audit findings, conclusions and recommendations

Page 19 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Automated Work Papers
 Risk analysis
 Audit programs
 Results
 Test evidences
 Conclusions
 Reports and other complementary information
 Minimum controls:
 Access to work papers
 Audit trails
 Automated features to provide and record approvals
 Security and integrity controls
 Backup and restoration
 Encryption techniques
Evaluation of Audit Strengths and Weaknesses
 Assess evidence
 Evaluate overall control structure
 Evaluate control procedures
 Assess control strengths and weaknesses
Communicating Audit Results
 Exit interview
 Correct facts
 Realistic recommendations
 Implementation dates for agreed recommendations
 Presentation techniques
 Executive summary
 Visual presentation
 Audit report structure and contents
 Introduction to the report
 Audit findings presented in separate sections
 The IS auditor’s overall conclusion and opinion
 The IS auditor’s reservations with respect to the audit – audit limitations
 Detailed audit findings and recommendations
 Audit recommendations may not be accepted
 Negotiation
 Conflict resolution
 Explanation of results, findings and best practices or legal requirements
Management Implementation of Audit Recommendations
 Ensure that accepted recommendations are implemented as per schedule
 Auditing is an ongoing process
 Timing a follow-up
Control Self-Assessment
 A management technique
 A methodology
 In practice, a series of tools
 Can be implemented by various methods

Page 20 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Objectives of CSA
 Leverage the internal audit function by shifting some control monitoring responsibilities to functional areas
 Enhancement of audit responsibilities, not a replacement
 Educate management about control design and monitoring
 Empowerment of workers to assess the control environment
Benefits of CSA
 Early detection of risks
 More effective and improved internal controls
 Increased employee awareness of organizational objectives
 Highly motivated employees
 Improved audit rating process
 Reduction in control cost
 Assurance provided to stakeholders and customers
Disadvantages of CSA
 Could be mistaken as an audit function replacement
 May be regarded as an additional workload
 Failure to act on improvement suggestions could damage employee morale
 Lack of motivation may limit effectiveness in the detection of weak controls

Auditor Role in CSA

 Internal control professionals
 Assessment facilitators

Traditional vs.CSA Approach

 Traditional Approach
 Assigns duties/supervises staff
 Policy/rule driven
 Limited employee participation
 Narrow stakeholder focus
 CSA Approach
 Empowered/accountable employees
 Continuous improvement/learning curve
 Extensive employee participation and training
 Broad stakeholder focus
Continuous Auditing Vs. Continuous Monitoring
 Continuous monitoring
 Provided by IS management tools
 Based on automated procedures to meet fiduciary responsibilities
 Continuous auditing
 Audit-driven
 Completed using automated audit procedures

Page 21 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Continuous Auditing
 Distinctive character
 Short time lapse between the facts to be audited and the collection of evidence and audit reporting
 Drivers
 Better monitoring of financial issues
 Allows real-time transactions to benefit from real-time monitoring
 Prevents financial fiascoes and audit scandals
 Uses software to determine proper financial controls
 Application of continuous auditing due to:
 New information technology developments
 Increased processing capabilities
 Standards
 Artificial intelligence tools
 Advantages
 Instant capture of internal control problems
 Reduction of intrinsic audit inefficiencies
 Disadvantages
 Difficulty in implementation
 High cost
 Elimination of auditors’ personal judgment and evaluation

ISACA Code of Professional Ethics

The Association’s Code of Professional Ethics provides guidance for the professional and personal conduct of members of
ISACA and/or holders of ISACA designations.

Conclusion
 Know
 Audit Planning
 Performing an Audit
 Risk as related to audit planning and performance
 Ongoing Audit techniques
 Ethics

--- End of Domain ---

Page 22 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
From ISACA Demo Training on CISA
Audit Documentation
In addition to the audit plan, the documentation for an IS audit includes:

 A description or diagram of the IS environment

 Audit programs
 Minutes of meetings
 Audit evidence
 Findings
 Conclusions and recommendations
 Any report issued as a result of the audit work
 Supervisory review comments, if any
The audit entity, its scope and its objectives dictate the exact content of documentation. ISACA has published guideline G8, Audit
Documentation, to discuss this.

All the documentation must be kept in safe custody and must be available in accordance with legal, professional and organizational
requirements.

Audit documentation should support the findings and conclusions. Often timing is an important consideration in evidence collection – for
example, in date and time stamping of materials, or in recording the time when observations were made or work was performed. This
information may be critical to supporting the findings and conclusions. It is your responsibility to ensure the evidence gathered and
documented will support your findings. Audit documentation should also contain appropriate working papers, narratives, questionnaires and
system flowcharts.

At a minimum, documentation should include a record of the:

 Planning and preparation of the audit scope and objectives

 Description and/or walkthroughs on the scoped audit area
 Audit program
 Audit steps performed and audit evidence gathered
 Use of services of other auditors and experts
 Audit findings, conclusions and recommendations
The documentation should also include evidence of supervisory review and the report that was issued as a result of the audit work. Also
necessary is any audit information required by contractual stipulations, regulations, laws and professional standards.
Audit documentation should be clear, complete, and easy to retrieve. It is necessary evidence supporting the conclusions reached.
Generally, audit documentation is the property of the auditing entity. Policies regarding custody, retention requirements and release of audit
documentation should be developed by the IS auditor. The documentation should be accessible only to authorized personnel. The auditor
should have the approval of the client or senior management before providing any external parties access to audit documentation.

Audit scope: Defines in specific detail, which areas and/or functions within an organization will be subject to audit, and what
the audit will address, during this audit cycle.
Using the Services of Other Auditors and Experts
Often, the services of other auditors or outside experts may be required for an audit. However, the delegation of work does
not necessarily mean a delegation of professional liability, even if the entire audit is performed by an external service provider.
The IS auditor (or the entity employing the services) is responsible for:
 Clearly communicating the audit objectives, scope and methodology through a formal engagement letter to the
external service provider
 Implementing a monitoring process to regularly review the work of the external service provider with regard to
planning, supervision, review and documentation
 Assessing the usefulness and appropriateness of reports of these external providers
 Assessing the impact of significant findings on the overall audit objectives
ISACA IT Audit and Assurance Standards and Guidelines
G1 – Using the Work of Other Auditors and Experts, effective 1 March 2008

Page 23 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
IS Audit Expert

As the IS auditor, you are permitted to use and rely on the audit work carried out by another auditor, either internal or external, but the
nature, timing and extent of audit evidence required will depend upon the significance of the other IS auditor's or expert's work.

Your planning process should identify the level of review that is required to provide sufficient, reliable, relevant and useful audit evidence to
achieve the overall IS audit objectives effectively.

You should consider reviewing the other auditor's or expert's final report, audit programs and audit work papers. You should also consider
whether supplemental testing of the other auditor's or expert's work is required.

Where a review of the other auditor's or expert's work papers is necessary, it is necessary to perform sufficient audit work to confirm that
the other auditor's or expert's work was appropriately planned, supervised, documented and reviewed, and to consider the appropriateness
and sufficiency of the audit evidence provided by them. The other auditor's or expert's compliance with relevant professional standards
should also be assessed.

Finally, assess the usefulness and appropriateness of reports issued by the other auditors and experts, and consider any significant findings
reported by them.

It is your responsibility as the IS auditor to assess the effect of the other auditor's or expert's findings and conclusions on the overall audit
objective, and to verify that any additional work required to meet the overall audit objective is completed.

Q: According to the ISACA IT Audit and Assurance Standards Guidelines, and Procedures, where an independent audit will be required later
and you are the only IS auditor with the requisite skills to carry out both the nonaudit role and the subsequent audit, how should you
proceed in fulfilling your audit responsibilities?
According to the ISACA IT Audit and Assurance Guidelines, specifically G17 – Effect of Nonaudit Role on the IS Auditor's Independence,
paragraph 3 (Independence), subparagraph 3.1.3…
Despite there being no requirement for the IS auditor to be independent while playing a nonaudit role in an IS initiative, you should consider
whether such a role could be deemed to impair independence if you were assigned to audit the IS initiative and/or the related function.
Where such a conflict is foreseeable, you should discuss the issue with the audit committee or equivalent governance body prior to
embarking on the nonaudit role.
The tradeoff between nonaudit role in an IS initiative and the independent audit of the IS initiative (or the related function) should be the
decision of the audit committee or equivalent governance body. Aspects that are likely to influence the decision include:
>> Potential alternative resources for either role
>> Perception of the relative value added by the conflicting activities
>> Potential for educating the IS team so that future initiatives could benefit
>> Career development opportunities and succession planning for the IS auditor
>> Level of risk attached to the nonaudit role
>> Effect on the visibility, profile, image, etc., of the IS audit function
>> Effect of the decision on the requirements of external auditors or regulators, if any
>> The provisions of the IS audit charter

The Auditor's Responsibility

When making inquiries and performing audit procedures, the IS auditor should not be expected to fully disregard past
experience, but should be expected to maintain a level of professional skepticism.
The IS auditor should not be satisfied with less-than-persuasive audit evidence based on a belief that management and those
charged with governance are honest and have integrity.
To evaluate the risk of the existence of material irregularities and illegal acts, the IS auditor should consider the use of:

 His or her previous knowledge and experience with the organization

 Information obtained by making inquiries of management
 Management representations and internal control sign-offs
 Other reliable information obtained during the course of the audit
 Management's assessment of the risk of irregularities and illegal acts, and its process for identifying and responding
to these risks
Audit Follow-up

Page 24 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
After the reporting of findings and recommendations, the IS auditor should request and evaluate relevant information to
conclude whether appropriate action has been taken by management in a timely manner. (Reference: ISACA ISACA IT Audit
and Assurance Standard S8 – Follow-up Activities)
Factors that should be considered in determining appropriate follow-up procedures are the:

 Significance of the reported finding or recommendation

 Effect that may result if the corrective action fails
 Degree of effort and cost needed to correct the reported issue
 Complexity of the corrective action
 Time period involved
And...

 Any changes in the IS environment that may affect the significance of a reported observation

Important!
If the IS auditor is working in an internal audit environment, responsibility for follow-up should be defined in the internal audit
activity's written charter.

Compliance: The act of conformity undertaken due to the trepidation of legal or regulatory sanctions, financial loss, or damage to
reputation and franchise value that may arise when an organization fails to comply with laws, regulations, standards or codes of conduct of
self-regulatory organizations applicable to the business activities and functions within the organization.

Ethics: A code of core values that guides our choices and actions, and determines the purpose and course of our organization and lives.
Standards of duty and virtue that indicate how we should behave.

Evidence: The information an auditor gathers in the course of performing an IS audit. Evidence is relevant if it pertains to the audit
objectives and has a logical relationship to the findings and conclusions it is used to support

Follow-up activities: The process to ensure prompt and responsive action is taken once management decision has been reached on
recommendations contained in final audit reports.

Governance: The use of institutions, structures of authority and even collaboration to allocate resources and coordinate or control activity
in an organization.

Guidelines: A suggested action or recommendation related to an area of information security policy that is intended to supplement a
procedure. Unlike standards, implementation of guidelines may be at the discretion of the reader.

Policy: Generally, a document that records a high-level principle or course of action which has been decided upon. A policy's intended
purpose is to influence and guide both present and future decision making to be in line with the philosophy, objectives and strategic plans
established by the enterprise's management teams. In addition to policy content, policies need to describe the consequences of failing to
comply with the policy, the means for handling exceptions, and the manner in which compliance with the policy will be checked and
measured.

Procedures: A detailed description of the steps necessary to perform specific operations in conformance with applicable standards.

Standards: A metric used to determine the correctness of a thing or process; a set of rules or specifications that, when taken together,
define a software or hardware device. A standard is also an acknowledged basis for comparing or measuring something.

Practice Questions/CPE Quiz

Page 25 of 26
 CISA Exam Preparation Guide
Prepared By: MD. JAHANGIR ALAM, CISA | jahangircsebd@gmail.com
Question 1

Senior management has requested that an IS auditor assist the departmental management in the implementation of necessary controls. The
IS auditor should:

A. refuse the assignment because it is not the role of the IS auditor.

B. inform management of his/her inability to conduct future audits.

C. perform the assignment and future audits with due professional care.

D. obtain the approval of user management to perform the implementation and follow-up.

Your Answer: inform management of his/her inability to conduct future audits. View

Explanation: Correct! An IS auditor can perform non audit assignments if his or her expertise can be of use to management; however, by
performing the nonaudit assignment, the IS auditor cannot conduct the future audits of the areas because his or her independence may be
compromised. The independence of the IS auditor will not be impaired when recommending controls to the auditee after the audit. In this
situation, the IS auditor should inform management of the impairment of independence in conducting further audits in the auditee’s area.

Question 2

The PRIMARY purpose of an audit charter is to:

A. document the audit process used by the enterprise.

B. formally document the audit department's plan of action.

C. document a code of professional conduct for the auditor.

D. describe the authority and responsibilities of the audit department.

The PRIMARY purpose of an audit charter is to:

Your Answer: describe the authority and responsibilities of the audit department. View

Explanation: Correct! Standard S1 - Audit Charter states "The purpose, responsibility, authority and accountability of the information
systems audit function or information audit assignments should be appropriately documented in an audit charter or engagement letter." The
audit charter typically sets out the role and responsibility of the internal audit department. It should state management's objectives for and
delegation of authority to the audit department.

Question 3

An IS auditor performing a review of an application's controls finds a weakness in system software that could materially impact the
application. The IS auditor should:

A. disregard these control weaknesses, because a system software review is beyond the scope of this review.

B. conduct a detailed system software review and report the control weaknesses.

C. include in the report a statement that the audit was limited to a review of the application's controls.

D. review the system software controls as relevant and recommend a detailed system software review.

An IS auditor performing a review of an application's controls finds a weakness in system software that could materially impact the
application. The IS auditor should:

Your Answer: conduct a detailed system software review and report the control weaknesses. View

Explanation: Where the applications are dependent on system software then the effectiveness of those controls should be considered.
However, detailed review of such controls can be outside the audit as part of a detailed system software review if it hampers the audit's
schedule, or if IS auditor may not be technically competent to do such a review at this time. See audit Guideline G14, Application Systems
Review Planning Considerations.

Page 26 of 26