Cisa Good Notes Short

COBIT®, CISA®, CISM®, CRISC® and CGEIT® are registered trademarks of ISACA.
Start and finish Course style
Coffee and breaks Lunch
M00 - Course introduction 2/8 | 2/623

 Introduction to CISA certification
 The role do CISA
 Understanding the IT Audit terms,
concepts and activities
 Understanding of ISACA IS Audit
and Assurance Guidelines
 Presenting business value
and requirements of IT Audit
Main goal
 Preparing students to CISA exam
Secondary goal
 Awareness of IT Audit best practices

 Please share with the class:
 Your name and surname
 Your organization
 Your profession (title, function,
job responsibilities)
 Your experience with the
ITSM/ITIL/InfoSec/IT Audit
 Your personal session
expectations

 CISA Review Manual 2016
 Pages: 468
 Published: 2015
 Publisher: ISACA
 Format: Softcover
 ISBN-13: 978-1604203677
 Knowledge and experience
from IT Audit, GRC on CISA
exam is validated against
CISA® Review Manual cover, copyright © ISACA.

knowledge and way of
thinking presented in this
manual

quizlet.com/42740590/

Mirosław Dąbrowski linkedin.com/in/miroslawdabrowski
google.com/+miroslawdabrowski
Agile Coach, Trainer, Consultant twitter.com/mirodabrowski
(former JEE/PHP developer, UX/UI designer, BA/SA) miroslaw_dabrowski
Creator Writer / Translator Trainer / Coach

• Creator of 50+ mind maps from PPM and related • Product Owner of biggest Polish project • English speaking, international, independent
topics (2mln views): miroslawdabrowski.com management portal: 4PM: 4pm.pl (15.000+ views trainer and coach from multiple domains.
• Lead author of more than 50+ accredited materials each month) • Master Lead Trainer
from PRINCE2, PRINCE2 Agile, MSP, MoP, P3O, ITIL, • Editorial Board Member of Official PMI Poland • 11+ years in training and coaching / 15.000+ hours
M_o_R, MoV, PMP, Scrum, AgilePM, DSDM, CISSP, Chapter magazine: “Strefa PMI”: strefapmi.pl • 100+ certifications
CISA, CISM, CRISC, CGEIT, TOGAF, COBIT5 etc. • Official PRINCE2 Agile, AgilePM, ASL2, BiSL methods • 5000+ people trained and coached
• Creator of 50+ interactive mind maps from PPM translator for Polish language • 25+ trainers trained and coached
topics: mindmeister.com/users/channel/2757050 linkedin.com/in/miroslawdabrowski
Agile Coach / Scrum Master PM / IT architect Notable clients

• 8+ years of experience with Agile projects as a • Dozens of mobile and ecommerce projects ABB, AGH, Aiton Caldwell, Asseco, Capgemini, Deutsche Bank,
Scrum Master, Product Owner and Agile Coach • IT architect experienced in IT projects with budget Descom, Ericsson, Ericpol, Euler Hermes, General Electric,
• Coached 25+ teams from Agile and Scrum above 10mln PLN and timeline of 3+ years Glencore, HP Global Business Center, Ideo, Infovide-Matrix,
Interia, Kemira, Lufthansa Systems, Media-Satrun Group,
• Agile Coach coaching C-level executives • Experienced with (“traditional”) projects under high
Ministry of Defense (Poland), Ministry of Justice (Poland),
• Scrum Master facilitating multiple teams security, audit and compliance requirements based
Nokia Siemens Networks, Oracle, Orange, Polish Air Force,
experienced with UX/UI + Dev teams on ISO/EIC 27001 Proama, Roche, Sabre Holdings, Samsung Electronics, Sescom,
• Experience multiple Agile methods • 25+ web portal design and development and Scania, Sopra Steria, Sun Microsystems, Tauron Polish Energy,
• Author of AgilePM/DSDM Project Health Check mobile application projects with iterative, Tieto, University of Wroclaw, UBS Service Centre, Volvo IT…
Questionnaire (PHCQ) audit tool incremental and adaptive approach miroslawdabrowski.com/about-me/clients-and-references/
Accreditations/certifications (selected): CISA, CISM, CRISC, CASP, Security+, Project+, Network+, Server+, Approved
Trainer: (MoP, MSP, PRINCE2, PRINCE2 Agile, M_o_R, MoV, P3O, ITIL Expert, RESILIA), ASL2, BiSL, Change Management,
Facilitation, Managing Benefits, COBIT5, TOGAF 8/9L2, OBASHI, CAPM, PSM I, SDC, SMC, ESMC, SPOC, AEC, DSDM Atern,
DSDM Agile Professional, DSDM Agile Trainer-Coach, AgilePM, OCUP Advanced, SCWCD, SCBCD, SCDJWS, SCMAD, ZCE 5.0,
ZCE 5.3, MCT, MCP, MCITP, MCSE-S, MCSA-S, MCS, MCSA, ISTQB, IQBBA, REQB, CIW Web Design / Web Development /
Web Security Professional, Playing Lean Facilitator, DISC D3 Consultant, SDI Facilitator, Certified Trainer Apollo 13 ITSM
Simulation …
www.miroslawdabrowski.com
1. Overview of the CISA certification
2. Domain 1 - The Process of Auditing
Information Systems
3. Domain 2 - Governance and
Management of IT
4. Domain 3 - Information Systems
Acquisition, Development, and
Implementation
Operations, Maintenance and
Service Management
6. Domain 5 - Protection of Information
Assets
M01 - Overview of the CISA certification 2/9 | 10/623
 Domain 1
 The Process of Auditing Information
Systems
 Domain 2
 Governance and Management of IT
 Domain 3
 Information Systems Acquisition,
Development, and Implementation
 Domain 4
 Information Systems Operations,
Maintenance and Support
 Domain 5
 Protection of Information Assets

 CISA is the only globally  The technical skills and practices
recognized certification in the the CISA certification promotes
area of audit, controls and and evaluates are the building
security of information systems blocks of success in this growing
and is – in view of the stringent field, and the CISA designation
and globally identical demonstrates proficiency in this
requirements - internationally role
recognized
 The CISA job profile has so far
been consistently revised in 4 to
6 year intervals (the last time in
2010)
 Certification lunched: 1981
 Number of certified: 106,000

 CISA exam questions are developed with the intent of
measuring and testing practical knowledge and the
application of general concepts and standards.
 PBE & CBE (only pencil & eraser are allowed)
 4 hour exam
 200 multiple choice questions designed with one best
answer
 No negative points
 No pre-requisite for exam (only for attending to exam)

 Must
 ISACA IT Audit and Assurance
Standards and Guidelines
 ISACA CISA official glossary
 ISACA CISA Item Development Guide
 ISACA CISA QAE Item Development Guide
 Should
 ISACA CISA Review Manual
 ISACA Risk IT Framework / ISACA The Risk
IT Practitioner Guide
 Could
 COBIT 5 publications
 CISA Essential Exam Notes
 Candidate who pass the CISA exam are not automatically
CISA -certified / qualified and cannot use the CISA
designation
 All current requirements are present in official CISA
”Application for CISA Certification” document:
www.isaca.org/cisaapp

 ISACA CISA Review Manual Structure
 CISA Domain Structure
 About the CISA Exam
 Recommended reading for CISA exam
 Earning the CISA qualification

1. Overview of the CISA certification
2. Domain 1 - The Process of Auditing
Information Systems
3. Domain 2 - Governance and
Management of IT
Acquisition, Development, and
Implementation
Operations, Maintenance and
Service Management
6. Domain 5 - Protection of Information
Assets
M02 - Domain 1 - The Process of Auditing Information Systems 2/134 | 19/623
 Learning objectives
 Domain 1 - CISA exam relevance
 Module agenda
 Auditing
 Risk-Based Auditing
 Internal Controls
 Audit Planning
 Performing the Audit
 Sampling
 Audit Analysis and Reporting
 Control Self-Assessment (CSA)
 ISACA Code of Professional Ethics
 Sample questions

 After this module, the CISA candidate should be able to
 Develop and implement a risk-based IT audit strategy based on IT Audit
standards
 Plan specific audits to determine whether information systems are protected,
controlled and provide value to the organization
 Conduct audits in accordance with IT audit standards to achieve planned audit
objectives
 Report audit findings and make recommendations to key stakeholders to
communicate results and effect change when necessary
 Conduct follow-ups or prepare status reports to ensure
appropriate actions have been taken by management
in a timely manner

 Ensure that the CISA candidate …
 Has the knowledge necessary to provide audit services in
accordance with IT audit standards to assist the organization with
protecting and controlling information systems

 There are 5 general task statements pertaining to IT Audit
in CISA Certification Job Practice
 In general
 Develop and implement a risk-based IT audit strategy
 Plan specific audits
 Conduct audits in accordance with IT audit standards.
 Report audit findings and make recommendation
 Conduct follow-ups or prepare status reports

 There are 11 general knowledge statements pertaining to IT
Audit in CISA Certification Job Practice
 Knowledge of (selected)
 ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques,
Code of Professional Ethics
 Risk assessment concepts, tools and techniques
 Control objectives and controls related to information systems
 Audit planning and audit project management techniques
 Fundamental business processes
 Applicable laws and regulation
 Evidence collection techniques
 Different sampling methodologies
 Reporting and communication techniques
 Audit quality assurance systems and frameworks

 Audit begins with the acceptance of an Audit Charter (or
engagement letter)
 Provides
 Authority for audit
 Responsibility
 Reporting requirements
 Signed by
 Audit Committee
 Senior Management
 Steering Committee

 An audit compares (measures) actual activity against
 Standards and internal policy/ies
 Compliance with legal and regulatory requirements
 Specific goals of the audit
 CIA
 Confidentiality
 Integrity
 Availability
 Reliability
 Performance
…

 Involves short and long term planning (annual basis)
 New control issues
 Changes / Upgrades to technologies
 Business process / Need / Goals
 Auditing / Evaluation Techniques
 Acquisitions / Mergers
 Based on concerns of management or areas of higher risk
 Process failures
 Financial operations
 Compliance requirements
 Regulations changes

 Financial audits
 Operational audits
 Integrated audits
 Administrative audits
 IS audits
 Forensic audits
 Specialized audits
 ...

 Audit objectives / goal
 Audit scope
 Internal / External / Departments / Business Partners
 Criteria
 Responsibilities
 of management
 of internal and external auditors
 Audit procedures
 Evidence
 Conclusions and opinions
 Reporting
2. Identify
1. Gather 4. Perform Risk
System and
Information Analysis
Components
5. Conduct 6. Set Audit

3. Assess Risk Internal Control Scope and
Review Objectives
7. Develop
8. Assign
Auditing
Resources
Strategy

 Audit Program Challenges
 Limited number of IS auditors
 Maintenance of their technical competence
 Assignment of audit staff

 Based on the scope and objective of the particular
assignment
 IS auditor’s concerns
 Security (confidentiality, integrity and availability)
 Quality (effectiveness, efficiency)
 Fiduciary (compliance, reliability)
 Service and capacity
 Audit risk

 A set of documented audit procedures designed to achieve
planned audit objectives
 Composed of
 Statement of scope
 Statement of audit objectives
 Statement of audit programs
 Set up and approved by the audit management
 Communicated to all audit staff

 Audit plans
 Audit programs
 Audit activities
 Audit tests
 Audit findings
 Audit evidence
 Audit incidents

1. Audit subject
2. Audit objective
3. Audit scope
4. Pre-audit planning
5. Audit procedures and steps for information gathering
6. Procedures for evaluating the test or review results
7. Procedures for communication with management
8. Audit report preparation

 Understanding of the audit area / subject
 Risk assessment and general audit plan
 Detailed audit planning
 Preliminary review of audit area / subject
 Evaluating audit area / subject
 Verifying and evaluating controls
 Compliance testing
 Substantive testing
 Reporting (communicating results)
 Follow-up

 Use of audit software to survey the contents of data files
 Assess the contents of operating system parameter files
 Flow-charting techniques for documenting automated
applications and business process
 Use of audit reports available in operation systems
 Documentation review
 Observation

 Audits specifically related to a
crime or serious incident
 Determine
 Scope of incident
 Root cause
 Personnel and systems involved
 Obtain and examine evidence
 Report for further action

 Fraud detection is Management’s
responsibility
 Benefits of a well-designed
internal control system
 Deterring fraud at the first instance
 Detecting fraud in a timely manner
 Fraud detection and disclosure
 Auditor’s role in fraud prevention
and detection

Inherent risk
Errors likely to occur
Control risk
Errors that bypass controls
Errors not detect

by controls
Detection risk Errors caught by auditor
Audit risk Errors undetected by auditor

 Audit Risk
 The risk that the auditors may unknowingly fail to modify our opinion appropriately on
financial statements that are materially misstated
 Inherent Risk
 The susceptibility of an account balance, disclosure or class of transactions, considered at
the assertion level, to a material misstatement, assuming there are no related controls.
 Control Risk
 The risk that a material misstatement that could occur in an account balance, disclosure
or class of transactions, considered at the assertion level, will not be prevented or
detected and corrected on a timely basis by the client’s internal control system.
 Detection Risk
 The risk that the auditors will not detect a material misstatement that exists in an
account balance, disclosure, or class of transactions assertion considered at the assertion
level.

 It implies that auditors should attempt to predict where
misstatements are most and least likely in the FS segments
(account or class of transactions).
 Inherent risks is a measure of the likelihood that there are
material misstatements (errors or fraud) in a segment (class
of transactions / account balance) before considering the
effectiveness of internal controls

 The assessment of the likelihood that a misstatement that
could occur and that could be material will not be
prevented or detected the internal control system.
 Ideally, the control system would detect any material errors
before they enter the financial statements.

 Is a measure of the risk that audit evidence (substantive
procedures planned by the auditor to detect material
misstatements in the FS: tests of details of transactions,
tests of details of balances, and analytical procedures) will
fail to detect misstatements that could be material
 The Detection risk depends on other factors and is inversely

related to the accumulation of inherent and control risk
 It determines the number of substantial elements of proof
the auditor plans to accumulate in order to reduce the
Detection risk to an acceptable level.

 Audit risk may be considered as the product of the various
risks which may be encountered in the performance of the
audit.
 In order to keep the overall audit risk of engagements
below acceptable limit, the auditor must assess the level of
risk pertaining to each component of audit risk.
Inherent Risk Control Risk Detection Risk Audit Risk

 Risk Assessment must be based on business requirements, not solely
on information systems or technical requirements
 Risk Assessment
 Identify and prioritize risk
 Recommend risk-based controls
 Risk Mitigation
 Reduce risk
 Accept risk
 Transfer risk
 Share risk
 Avoid risk
 Ongoing assessment of risk levels
and control effectiveness

Perform Risk Assess
Identify Business (RA)
Identify Business
Assets that Support [Threat –
Objectives
the BO Vulnerability –
Portability – Impact]
Perform Risk
Perform Risk
Treatment (RT) Perform Periodic Risk
Mitigation (RM)
[Treat existing risks Revaluation
[Map Risks with
not mitigated by (BO, RA, RM, RT)
controls in place]
existing controls]

 From the IS auditor’s perspective, risk analysis serves more
than one purpose
 It assists the IS auditor in identifying risks and threats to an IT
environment and IS system - risks and threats that would need to
be addressed by management - and in identifying system specific
internal controls
 Depending on the level of risk, this assists the IS auditor in
selecting certain areas to examine

 IS auditors must be able to
 Be able to identify and differentiate risk types and the controls
used to mitigate these risks
 Have knowledge of common business risks, related technology
risks and relevant controls
 Be able to evaluate the risk assessment and management
techniques used by business managers, and to make assessments
of risk to help focus and plan audit work
 Have an understand that risk exists within the audit process

 In analyzing the business risks arising from the use of IT, it is
important for the IS auditor to have a clear understanding
of
 The purpose and nature of business, the environment in which the
business operates and related business risks
 The dependence on technology and related dependencies that
process and deliver business information
 The business risks of using IT and related dependencies and how
they impact the achievement of the business goals and objectives
 A good overview of the business processes and the impact of IT
and related risks on the business process objectives

 Identity threats and vulnerabilities
 Helps auditor evaluate countermeasures / controls
 Helps auditor decide on auditing objectives
 Support Risk-Based auditing decision
 Helps identify risks and vulnerabilities
 Leads to implementation of internal controls

 Enables management to effectively allocate limited audit
resources
 Ensures that relevant information has been obtained from
all levels of management
 Establishes a basis for effectively managing the audit plans
 Provides a summary of how the individual audit subject is
related to the overall organization as well as to the business
plan

 Assessing security risks
 Risk assessments should identify, quantify and prioritize
risks against criteria for risk acceptance and objectives
relevant to the organization
 Performed periodically to address changes in
 The environment
 Security requirements and when significant changes occur
 Treating security risks
 Each risk identified in a risk assessment needs to be treated in a
cost-effective manner according to its level of risk
 Controls should be selected to ensure that risks are reduced to an
acceptable level

 Identify
 Business risks
 Technological risks
 Operational risks

Gather Information and Plan
for the Audit
Obtain Understanding and

evaluate the Internal Control
Perform Compliance Testing
Perform Substantive Tests
Perform the Audit

1. Gather Information and Plan for the Audit
 Knowledge of business and industry
 Prior year’s audit results
 Recent financial information
 Regulatory statutes
 Inherent risk assessments
2. Obtain Understanding and evaluate the Internal Control
 Control environment
 Control procedures
 Detection risk assessment
 Control risk assessment
 Equate total risk

3. Perform Compliance Tests
 Identify key controls to be tested
 Perform tests on reliability, risk prevention, and adherence to
organizational policies and procedures
4. Perform Substantive Tests
 Analytical procedures
 Detailed tests of account balances
 Other substantive audit procedures
5. Perform the Audit
 Create recommendations
 Write audit report

 Administrative controls concerned with operational
efficiency and adherence to management policies
 Organizational logical security policies and procedures
 Overall policies for the design and use of documents and
records
 Procedures and features to ensure authorized access to
assets
 Physical security policies for all data centers

 Protection and detective mechanisms against internal and external
attacks
 Safeguarding of IT assets
 Compliance to corporate policies or legal requirements
 Input
 Authorization
 Accuracy and completeness of processing of data input/transactions
 Output
 Reliability of process
 Backup / recovery
 Efficiency and economy of operations
 Change management process for IT
and related systems
 Classification of internal controls
 Directive - Controls
 Preventive - Controls that avoid incident
 Detective - Controls that identify incident
 Corrective - Controls that remedy incident
 Recovery - Controls that restores baseline from incident
 Deterrent - Controls that (only) reduce likelihood of incident
 Compensatory - Control type implemented to make up for
deficiencies in other controls

 Management (Administrative) Controls
 Policies, Standards, Processes, Procedures, & Guidelines
 Administrative Entities: Executive-Level, Mid.-Level Management
 Operational (and Physical) Controls
 Operational Security (Execution of Policies, Standards & Process, Education &
Awareness)
 Service Providers: IA, Program Security, Personnel Security, Document Controls (or
CM), HR, Finance, etc.
 Physical Security (Facility or Infrastructure Protection)
 Locks, Doors, Walls, Fence, Curtain, etc.
 Service Providers: FSO, Guards, Dogs
 Technical (Logical) Controls
 Access Controls , Identification & Authorization, Confidentiality, Integrity,
Availability, Non-Repudiation.
 Service Providers: Enterprise Architect, Security Engineer, CERT, NOSC, Helpdesk

Directive Preventive Detective Corrective Recovery
• Review access
• User registration • Penalty • Business
logs
(Administrative)
Management
• User agreement • Administrativ continuity

• Job rotation
• NdA e leave planning (BCP)
• Investigation
• Separation of • Controlled • Disaster
• Security
duties termination recovery
awareness
• Warning banner processes planning (DRP)
training
• Physical barriers
• User
Physical / Operational
• Locks
behavioral
• Badge system • Monitor access
modification
• Security Guard • Motion
• Procedure • Modify and
• Mantrap doors detectors
update
• Effective hiring • CCTV
physical
practice
barriers
• Awareness training,

Directive Preventive Detective Corrective Recovery
• User
authentication • Log access and • Isolate,
• Multi-factor transactions terminate • Backups
Technical
authentication • Store access connections • Recover system

• Standards
• ACLs logs • Modify and functions,
• Firewalls • SNMP update access • Rebuild,
• IPS • IDS privileges
• Encryption

 Internal control system
 Internal accounting controls
 Operational controls
 Administrative controls

 Safeguarding assets
 Assuring the integrity of general operating system
environments
 Assuring the integrity of sensitive and critical application
system environments through
 Authorization of the input
 Accuracy and completeness of processing of transactions
 Reliability of overall information processing activities
 Accuracy, completeness and security of the output
 Database integrity

 Ensuring appropriate identification and authentication of
users of IS resources
 Ensuring the efficiency and effectiveness of operations
 Complying with requirements, policies and procedures, and
applicable laws
 Developing business continuity and disaster recovery plans
 Developing an incident response plan
 Implementing effective change
management procedures

 Strategy and direction
 General organization and management
 Access to IT resources, including data and programs
 Systems development methodologies and change control
 Operations procedures
 Systems programming and technical support functions
 Quality assurance procedures
 Physical access controls
 Business continuity / disaster recovery planning
 Networks and communications
 Database administration
 Internal control objectives apply to all areas, whether
manual or automated
 Therefore, conceptually, control objectives in an IS
environment remain unchanged from those of a manual
environment

 Cost
 Assess management’s risk appetite and tolerance for risk
 Effectiveness at mitigating Risk

 Audit planning steps
1. Gain an understanding of the business’s vision, mission, business
drivers, objectives, purpose and processes and it’s culture
2. Identify stated contents (policies, standards, guidelines,
procedures, and organization structure)
3. Evaluate risk assessment and privacy impact analysis
4. Perform a risk analysis
5. Conduct an internal control review
6. Set the audit scope and audit objectives
7. Develop the audit approach or audit strategy
8. Assign personnel resources to audit and address engagement
logistics

 Regulatory requirements
 Adequate controls
 Privacy
 Responsibilities
 Oversight and Governance
 Establishment
 Organization
 Protection of assets
 Financial Management
 Correlation to financial, operational and IT audit functions

1. Identify external requirements
2. Document pertinent laws and regulations
3. Assess whether management and the IS function have
considered the relevant external requirements
4. Review internal IS department documents that address
adherence to applicable laws
5. Determine adherence to established procedures

 Standards (must be followed by IS auditors)
 General
 Performance
 Reporting
 Guidelines
 Provide assistance on how to implement the standards
 Tools and Techniques
 Provide examples for implementing the standards

 Procedures developed by the ISACA Standards Board
provide examples of possible processes an IS auditor might
follow in an audit engagement
 The IS auditor should apply their own professional judgment
to the specific circumstances

P# Topic effective date
P1 IS Risk Assessment 01.07.2002
P2 Digital Signatures 01.07.2002
P3 Intrusion Detection 01.08.2003
P4 Viruses and Other Malicious Code 01.08.2003
P5 Control Risk Self-assessment 01.08.2003
P6 Firewalls 01.08.2003
P7 Irregularities and Illegal Acts 01.11.2003
P8 Security Assessment - Penetration Testing and Vulnerability Analysis 01.08.2004
P9 Evaluation of Management Controls Over Encryption Methodologies 10.01.2005
P10 Business Application Change Control 01.10.2006
P11 Electronic Funds Transfer (EFT) 01.05.2007

Section 2200 - General Standards
Section 2400 - Performance Standards
Section 2600 - Reporting Standards
Section 3000 - IT Assurance Guidelines
Section 3200 - Enterprise Topics
Section 3400 - IT Management Process
Section 3600 - IT Audit and Assurance Guidelines

 Framework for the ISACA IS Auditing Standards
Standards
Framework
for the ISACA
IS Auditing
Standards
Procedures Guidelines

 Objectives of the ISACA IT Audit
and Assurance Standards
 Inform management and other
interested parties of the
profession’s expectations
concerning the work of audit
practitioners
 Inform information system
auditors of the minimum level of
acceptable performance required
to meet professional
responsibilities set out in the
ISACA Code of Professional Ethics

 S1 - Audit Charter  S9 - Irregularities and illegal acts
 S2 - Independence  S10 - IT Governance
 S3 - Ethics and Standards  S11 - Use of risk assessment in
 S4 - Competence audit planning
 S5 - Planning  S12 - Audit materiality
 S6 - Performance of audit work  S13 - Using the Work of Other
 S7 - Reporting Experts
 S8 - Follow-up activities  S14 - Audit Evidence
 S15 - IT Controls
 S16 - E-commerce

S1 • Purpose, responsibility, authority and
accountability
Audit Charter • Approval
S2 • Professional independence
Independence • Organizational independence

S3
Professional • Code of Professional Ethics
Ethics and • Due professional care
Standards
S4 • Skills and knowledge

Competence • Continuing professional education

• Plan IS audit coverage
• Develop and document a risk-based
S5 audit approach
• Develop and document an audit plan
Planning
• Develop an audit program and
procedures
S6 • Supervision
Performance of • Evidence
• Documentation
Audit Work

• Identify the organization, intended
recipients and any restrictions
• State the scope, objectives, coverage
S7 and nature of audit work performed
• State the findings, conclusions and
Reporting recommendations and limitations
• Justify the results reports
• Be signed, dated and distributed
according to the audit charter

• Review previous conclusions and
S8 recommendations
• Review previous relevant findings
Follow-up • Determine whether appropriate
Activities actions have been taken by
management in a timely manner

• Consider the risk of irregularities and
illegal acts
• Maintain an attitude of professional
skepticism
S9 • Obtain an understanding of the
Irregularities and organization and its environment
• Consider unusual or unexpected
Illegal Acts relationships
• Test the appropriateness of internal
control
• Assess any misstatement

• Obtain written representations from
management
• Have knowledge of any allegations of
S9 irregularities or illegal acts
• Communicate material irregularities or illegal
Irregularities acts
and Illegal Acts • Consider appropriate action in case of
inability to continue performing the audit
(continued) • Document irregularity- or illegal act-related
communications, planning, results,
evaluations and conclusions

• Review and assess the IS function’s
alignment with the organization’s
mission, vision, values, objectives and
strategies
S10 • Review the IS function’s statement
about the performance and assess its
IT Governance achievement
• Review and assess the effectiveness of
IS resource and performance
management processes

• Review and assess compliance with
legal, environmental and information
quality, and fiduciary and security
S10 requirements
• Use a risk-based approach to evaluate
IT Governance the IS function
(continued) • Review and assess the organization’s
control environment
• Review and assess the risks that may
adversely affect the IS environment

S11 • Planning
• Use a risk assessment technique in
Use of Risk developing the overall IS audit plan
Assessment in • Identify and assess relevant risks in
Audit planning individual reviews

• The IS auditor should consider audit
materiality and its relationship to audit
risk
• The IS auditor should consider
S12 potential weakness or absence of
controls when planning for an audit
Audit • The IS auditor should consider the
Materiality cumulative effect of minor control
deficiencies or weaknesses
• The IS audit report should disclose
ineffective controls or absence of
controls

• The IS auditor should consider using the work of
other experts
• The IS auditor should be satisfied with the
S13 qualifications, competencies, etc., of other experts
• The IS auditor should assess, review and evaluate
the work of other experts
Using the Work • The IS auditor should determine if the work of
of Other other experts is adequate and complete
• The IS auditor should apply additional test
Experts procedures to gain sufficient and appropriate audit
evidence
• The IS auditor should provide appropriate audit
opinion

• Includes procedures performed by the
auditor and results of those
procedures
• Includes source documents, records
S14 and corroborating information
• Includes findings and results of the
Audit Evidence audit work
• Demonstrates that the work was
performed and complies with
applicable laws, regulations and
policies

• The IS auditor should evaluate and
S15 monitor IT controls that are an
integral part of the internal control
IT Controls environment of the organization.
• The IS Auditor should evaluate

applicable controls and assess risk
S16 when reviewing e-commerce
environments to ensure that e-
E-commerce commerce transactions are properly
controlled.

G# Topic effective date
G01 Using the Work of Other Auditors 01.06.1998
G02 Audit Evidence Requirement 01.12.1998
G03 Use of Computer Assisted Audit Techniques (CAATs) 01.12.1998
G04 Outsourcing of IS Activities to Other Organizations 01.09.1999
G05 Audit Charter 01.09.1999
G06 Materiality Concepts for Auditing Information Systems 01.09.1999
G07 Due Professional Care 01.09.1999
G08 Audit Documentation 01.09.1999
G09 Audit Considerations for Irregularities 01.03.2000
G10 Audit Sampling 01.03.2000

G11 Effect of Pervasive IS Controls 01.03.2000
G12 Organizational Relationship and Independence 01.03.2000
G13 Use of Risk Assessment in Audit Planning 01.09.2000
G14 Application Systems Review 01.11.2001
G15 Planning Revised 01.03.2002
G16 Effect of Third Parties on an Organization’s IT Controls 01.03.2002
G17 Effect of Non-audit Role on the IS Auditor’s Independence 01.07.2002
G18 IT Governance 01.07.2002
G19 Irregularities and Illegal Acts 01.07.2002
G20 Reporting 01.01.2003

G21 Enterprise Resource Planning (ERP) Systems Review 01.08.2003
G22 Business-to-consumer (B2C) E-commerce Review 01.08.2003
G23 System Development Life Cycle (SDLC) Review 01.08.2003
G24 Internet Banking 01.08.2003
G25 Review of Virtual Private Networks 01.07.2007
G26 Business Process Reengineering (BPR) Project Reviews 01.07.2007
G27 Mobile Computing 01.09.2004
G28 Computer Forensics 01.09.2004
G29 Post-implementation Review 01.01.2005
G30 Competence 01.06.2005

G31 Privacy 01.06.2005
G32 Business Continuity Plan (BCP) Review From IT Perspective 01.09.2005
G33 General Considerations on the Use of the Internet 01.03.2006
G34 Responsibility, Authority and Accountability 01.03.2006
G35 Follow-up Activities 01.03.2006
G36 Biometric Controls 01.03.2007
G37 Configuration Management 01.10.2007
G38 Access Control 01.02.2008
G39 IT Organizations 01.05.2008
G40 Review of Security Management Practices 01.10.2008

G41 Return on Security Investment (ROSI) 01.05.2010
G42 Continuous Assurance 01.05.2010
… … …

 It is a requirement that the auditor’s conclusions be based
on sufficient, competent evidence
 Independence of the provider of the evidence
 Qualification of the individual providing the information or
evidence
 Objectivity of the evidence
 Timing of the evidence

 Review IS organization structures
 Review IS policies and procedures
 Review IS standards
 Review IS documentation
 Interview appropriate personnel
 Observe processes and employee performance
 Inspection of tangible assets

 General approaches to audit
sampling
 Statistical sampling
 Non-statistical sampling

 Attribute sampling (used to estimate the extent to which a
characteristic exists within population)
 Stop-or-go sampling
 Discovery sampling
 Variable sampling (used to estimate amount (or value) of
some characteristic of a population)
 Monetary Unit Sampling (MUS)
 Stratified mean per unit
 Unstratified mean per unit
 Difference estimation

 Confident coefficient
 Level of risk
 Precision
 Expected error rate
 Sample mean
 Sample standard deviation
 Tolerable error rate
 Population standard deviation

1. Determine the objectives of the test
2. Define the population to be sampled
3. Determine the sampling method
 Such as attribute versus variable sampling
4. Calculate the sample size
5. Select the sample
6. Evaluating the sample from an audit perspective

 Compliance test
 Determines whether controls are in compliance with management
policies and procedures
 Substantive test
 Tests the integrity of actual processing
 Provides evidence of the validity
 Correlation between the level of internal controls and
substantive testing required
 Relationship between compliance and substantive tests

Review the system to identify controls
Test compliance to determine whether controls are functioning
Evaluate the controls to determine the basis for reliance and the nature,
scope and timing of substantive tests
Use two types of substantive tests to evaluate the validity of the data
Test balance and transactions Perform analytic review procedures

 Process whereby appropriate audit disciplines are
combined to assess key internal controls over an operation,
process or entity
 Focuses on risk to the organization (for an internal auditor)
 Focuses on the risk of providing an incorrect or misleading audit
opinion (for an external auditor)

 Process involves
 Identification of risks faced by
organization and of relevant key
controls Operational
 Review and understanding of the Audit
design of key controls
 Testing that key controls are
supported by the IT system Financial
IS Audit
 Testing that management controls Audit
operate effectively
 A combined report or opinion on
control risks, design and weaknesses

 Considerations when using services of other auditors and
experts
 Audit charter or contractual stipulations
 Impact on overall and specific IS audit objectives
 Impact on IS audit risk and professional liability
 Independence and objectivity of other auditors and experts

 Considerations when using services of other auditors and
experts
 Professional competence, qualifications and experience
 Scope of work proposed to be outsourced and approach
 Supervisory and audit management controls
 Method of communicating the results of audit work
 Compliance with legal and regulatory stipulations
 Compliance with applicable professional standards

 CAATs enable IS auditors to gather information
independently
 CAATs include
 Generalized audit software (GAS)
 Utility software
 Debugging and scanning software
 Test data
 Application software tracing and mapping
 Expert systems

 CAATs as a continuous online audit approach
 Improves audit efficiency
 IS auditors must
 Develop audit techniques for use with advanced computerized
systems
 Be involved in the design of advanced systems to support audit
requirements
 Make greater use of automated tools

 Features of generalized audit software (GAS)
 Mathematical computations
 Stratification
 Statistical analysis
 Sequence checking
 Functions supported by GAS
 File access
 File reorganization
 Data selection
 Statistical functions
 Arithmetical functions

 Ease of use for existing and future audit staff
 Training requirements
 Complexity of coding and maintenance
 Flexibility of uses
 Installation requirements
 Processing efficiencies
 Confidentiality of data being processed

 Audit documentation includes
 Planning and preparation of the audit scope and objectives
 Description on the scoped audit area
 Audit program
 Audit steps performed and evidence gathered
 Other experts used
 Audit findings, conclusions and recommendations

 Risk analysis  Minimum controls
 Audit programs  Access to work papers
 Audit trails
 Results
 Automated features to
 Test evidences provide and record approvals
 Conclusions  Security and integrity controls
 Reports and other  Backup and restoration
complementary  Encryption techniques
information

 Materiality is a key issue
 Assess evidence
 Assessment requires judgment of the potential effect of the finding
if corrective action is not taken
 Evaluate overall control structure
 Evaluate control procedures
 Assess control strengths and weaknesses

 Exit interview
 Correct facts
 Realistic recommendations
 Implementation dates for agreed recommendations
 Presentation techniques
 Executive summary
 Visual presentation
 Oral presentation

 Audit report structure and contents
 Introduction to the report
 Audit findings presented in separate sections
 The IS auditor’s overall conclusion and opinion
 The IS auditor’s reservations with respect to the audit - audit
limitations
 Detailed audit findings and recommendations
 Audit recommendations may not be accepted
 Negotiation
 Conflict resolution
 Explanation of results, findings and best practices or legal
requirements

 Ensure that accepted recommendations are implemented
as per schedule
 Auditing is an ongoing process
 Timing a follow-up

 A management technique
 A methodology
 In practice, a series of tools
 Can be implemented by various methods
 In simple terms, CSA involves a structured approach to

documenting business objectives, risks and controls and
having operational management and staff assess the
adequacy of control

 Leverage the internal audit function by shifting some
control monitoring responsibilities to functional areas
 Enhancement of audit responsibilities, not a replacement
 Educate management about control design and monitoring
 Empowerment of workers to assess the control
environment

 Early detection of risks
 More effective and improved internal
controls
 Increased employee awareness of
organizational objectives
 Highly motivated employees
 Improved audit rating process
 Reduction in control cost
 Assurance provided to stakeholders
and customers

 Could be mistaken as an audit
function replacement
 May be regarded as an additional
workload
 Failure to act on improvement
suggestions could damage employee
morale
 Lack of motivation may limit
effectiveness in the detection of weak
controls

 Internal control professionals
 Assessment facilitators

 Traditional Approach
 Assigns duties / supervises staff
 Policy / process / rule driven
 Limited employee participation
 Narrow stakeholder focus
 Control Self-Assessment (CSA) Approach
 Empowered / accountable employees
 Continuous improvement / learning curve
 Extensive employee participation and training
 Broad stakeholder focus

 Continuous monitoring
 Provided by IS management tools
 Based on automated procedures to meet fiduciary responsibilities
 Continuous auditing
 Audit-driven
 Completed using automated audit procedures

 Distinctive character
 Short time lapse between the facts to be audited and the
collection of evidence and audit reporting
 Drivers
 Better monitoring of financial issues
 Allows real-time transactions to benefit from real-time monitoring
 Prevents financial fiascoes and audit scandals
 Uses software to determine proper financial controls
 Application of continuous auditing due to
 New information technology developments
 Increased processing capabilities
 Standards
 Artificial intelligence tools
 Transaction logging
 Query tools
 Statistics and data analysis
 Computer Assisted Audit Techniques (CAAT)
 Database management systems (DBMS)
 Continuous and Intermittent Simulation (CIS)
 Data warehouses, data marts and data mining
 Intelligent agents
 Embedded audit modules (EAM)
 Neural network technology
 Standards such as Extensible Business Reporting Language (XBRL)

 A high degree of automation
 An automated and reliable information-producing process
 Alarm triggers to report control failures
 Implementation of automated audit tools
 Quickly informing IS auditors of anomalies / errors
 Timely issuance of automated audit reports
 Technically proficient IS auditors
 Availability of reliable sources of evidence
 Adherence to materiality guidelines
 Change of IS auditors’ mindset
 Evaluation of cost factors
 Advantages
 Instant capture of internal control problems
 Reduction of intrinsic audit inefficiencies
 Disadvantages
 Difficulty in implementation
 High cost
 Elimination of auditors’ personal judgment and evaluation

 Auditing
 Risk-Based Auditing
 Internal Controls
 Audit Planning
 Performing the Audit
 Sampling
 Audit Analysis and Reporting
 Control Self-Assessment (CSA)
 ISACA Code of Professional Ethics
of CISA Review Manual


I hope you enjoyed

this presentation. If so,
please like, share and
leave a comment
below.
Endorsements on
LinkedIn are also
highly appreciated! 
(your feedback = more free stuff)
MIROSLAWDABROWSKI.COM/downloads

Cisa Good Notes Short

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisa Good Notes Short

Uploaded by

Copyright:

Available Formats

COBIT®, CISA®, CISM®, CRISC® and CGEIT® are registered trademarks of ISACA.

Start and finish Course style

Coffee and breaks Lunch

M00 - Course introduction 2/8 | 2/623

M00 - Course introduction 3/8 | 3/623

M00 - Course introduction 4/8 | 4/623

CISA® Review Manual cover, copyright © ISACA.

M00 - Course introduction 5/8 | 5/623

M00 - Course introduction 7/8 | 7/623

Creator Writer / Translator Trainer / Coach

Agile Coach / Scrum Master PM / IT architect Notable clients

M01 - Overview of the CISA certification 3/9 | 11/623

M01 - Overview of the CISA certification 4/9 | 12/623

M01 - Overview of the CISA certification 5/9 | 13/623

M01 - Overview of the CISA certification 7/9 | 15/623

M01 - Overview of the CISA certification 8/9 | 16/623

M02 - Domain 1 - The Process of Auditing Information Systems 3/134 | 20/623

M02 - Domain 1 - The Process of Auditing Information Systems 4/134 | 21/623

M02 - Domain 1 - The Process of Auditing Information Systems 5/134 | 22/623

M02 - Domain 1 - The Process of Auditing Information Systems 6/134 | 23/623

M02 - Domain 1 - The Process of Auditing Information Systems 7/134 | 24/623

M02 - Domain 1 - The Process of Auditing Information Systems 11/134 | 28/623

M02 - Domain 1 - The Process of Auditing Information Systems 12/134 | 29/623

M02 - Domain 1 - The Process of Auditing Information Systems 13/134 | 30/623

M02 - Domain 1 - The Process of Auditing Information Systems 14/134 | 31/623

5. Conduct 6. Set Audit

M02 - Domain 1 - The Process of Auditing Information Systems 16/134 | 33/623

M02 - Domain 1 - The Process of Auditing Information Systems 17/134 | 34/623

M02 - Domain 1 - The Process of Auditing Information Systems 18/134 | 35/623

M02 - Domain 1 - The Process of Auditing Information Systems 19/134 | 36/623

M02 - Domain 1 - The Process of Auditing Information Systems 20/134 | 37/623

M02 - Domain 1 - The Process of Auditing Information Systems 21/134 | 38/623

M02 - Domain 1 - The Process of Auditing Information Systems 22/134 | 39/623

M02 - Domain 1 - The Process of Auditing Information Systems 23/134 | 40/623

M02 - Domain 1 - The Process of Auditing Information Systems 24/134 | 41/623

M02 - Domain 1 - The Process of Auditing Information Systems 25/134 | 42/623

Errors likely to occur

Errors not detect

Detection risk Errors caught by auditor

Audit risk Errors undetected by auditor

M02 - Domain 1 - The Process of Auditing Information Systems 28/134 | 45/623

M02 - Domain 1 - The Process of Auditing Information Systems 29/134 | 46/623

M02 - Domain 1 - The Process of Auditing Information Systems 30/134 | 47/623

M02 - Domain 1 - The Process of Auditing Information Systems 31/134 | 48/623

 The Detection risk depends on other factors and is inversely

M02 - Domain 1 - The Process of Auditing Information Systems 32/134 | 49/623

Inherent Risk Control Risk Detection Risk Audit Risk

M02 - Domain 1 - The Process of Auditing Information Systems 33/134 | 50/623

M02 - Domain 1 - The Process of Auditing Information Systems 34/134 | 51/623

M02 - Domain 1 - The Process of Auditing Information Systems 35/134 | 52/623

M02 - Domain 1 - The Process of Auditing Information Systems 36/134 | 53/623

M02 - Domain 1 - The Process of Auditing Information Systems 37/134 | 54/623

M02 - Domain 1 - The Process of Auditing Information Systems 38/134 | 55/623

M02 - Domain 1 - The Process of Auditing Information Systems 39/134 | 56/623

M02 - Domain 1 - The Process of Auditing Information Systems 40/134 | 57/623

M02 - Domain 1 - The Process of Auditing Information Systems 41/134 | 58/623

M02 - Domain 1 - The Process of Auditing Information Systems 42/134 | 59/623

Obtain Understanding and

Perform Compliance Testing

Perform Substantive Tests

Perform the Audit

M02 - Domain 1 - The Process of Auditing Information Systems 43/134 | 60/623

M02 - Domain 1 - The Process of Auditing Information Systems 44/134 | 61/623