Ch1 2016CISA

2016 CISA REVIEW COURSE
Course Agenda
• Learning Objectives
• Discuss Task and Knowledge Statements
• Discuss specific topics within the chapter
• Case studies
• Practice questions
© Copyright 2014 ISACA. All rights reserved.

2
20146 CISA REVIEW COURSE
Chapter 1: The Process of Auditing Information Systems

Learning Objectives
This course is designed to ensure that:

The CISA candidate has the knowledge
necessary to provide audit services in
accordance with IS audit standards to
assist the organization with protecting
and controlling information systems.

4
Domain 1 – Task Statements
There are T1.1 Develop and implement a risk-based IT

five tasks audit strategy in compliance with IT audit
within this standards to ensure that key areas are
domain that included.
a CISA must
know how to T1.2 Plan specific audits to determine whether
perform. information systems are protected,
controlled and provide value to the
organization.
T1.3 Conduct audits in accordance with IT audit
standards to achieve planned audit
objectives.

5
Domain 1 – Task Statements (contd.)
T1.4 Report audit findings and make recommendations to

key stakeholders to communicate results and effect
change when necessary.
T1.5 Conduct follow-ups or prepare status reports to ensure
appropriate actions have been taken by management in
a timely manner.

6
Domain 1 - Knowledge Statements
There are 10 KS1.1 Knowledge of ISACA IT Audit and

knowledge Assurance Standards, Guidelines, and
statements Tools and Techniques; Code of
within the Professional Ethics; and other applicable
process of standards
auditing
information KS1.2 Knowledge of risk assessment concepts,
systems tools and techniques in an audit context
domain. KS1.3 Knowledge of control objectives and
controls related to information systems

7
Domain 1 - Knowledge Statements (contd.)
KS1.4 Knowledge of audit planning and audit project

management techniques, including follow-up
KS1.5 Knowledge of fundamental business processes (e.g.,
purchasing, payroll, accounts payable, accounts
receivable) including relevant IT
KS1.6 Knowledge of applicable laws and regulations that
affect the scope, evidence collection and preservation,
and frequency of audits

8
Domain 1 - Knowledge Statements (contd.)
KS1.7 Knowledge of evidence collection techniques (e.g.,

observation, inquiry, inspection, interview,
data analysis) used to gather, protect and preserve
audit evidence
KS1.8 Knowledge of different sampling methodologies
KS1.9 Knowledge of reporting and communication
techniques (e.g., facilitation, negotiation, conflict
resolution, audit report structure)
KS1.10 Knowledge of audit quality assurance systems and
frameworks

9
1.2.1 Organization of the IS Audit Function
• Audit charter (or engagement letter)

– Stating management’s responsibility and objectives for, and
delegation of authority to, the IS audit function
– Outlining the overall authority, scope and responsibilities of the
audit function
• Approval of the audit charter
• Change in the audit charter

10
1.2.2 IS Audit Resource Management
• Limited number of IS auditors

• Maintenance of their technical competence
• Assignment of audit staff

11
1.2.3 Audit Planning
Shot- term and Long-term Things to Consider

planning
• Individual Audit Planning • New control issues
• Understanding of overall • Changing technologies
environment • Changing business
processes
• Enhanced evaluation
techniques
• Business practices and
functions
• Information systems and
technology

12
1.2.3 Audit Planning (cont.)

13
1.2.4 Effect of Laws and Regulations on IS Audit
Planning
Regulatory requirements generally describe the:

• Establishment
• Organization
• Responsibilities
• Correlation of the regulation to financial, operational and IS audit

functions

14
1.2.4 Effect of Laws and Regulations on IS Audit
Planning (cont.)
Steps to determine compliance with external requirements:

• Identify external requirements
• Document pertinent laws and regulations
• Assess whether management and the IS function have considered

the relevant external requirements
• Review internal IS department documents that address adherence to
applicable laws
• Determine adherence to established procedures

15
1.3.1 ISACA Code of Professional Ethics
• The Association’s Code of Professional Ethics provides

guidance for the professional and personal conduct of
members of ISACA and/or certification holders.

16
1.3.2 ISACA IS Audit and Assurance Standards
Framework
Framework for the ISACA IS Auditing Standards:

•Standards www.isaca.org/standards
•Guidelines www.isaca.org/guidelines
•Tools and Techniques

17
Framework (cont.)
Objectives of • To inform management and other

the ISACA IS interested parties of the profession’s
Audit and expectations concerning the work of
Assurance audit practitioners
Standards:
• To inform information system auditors
of the minimum level of acceptable
performance required to meet
professional responsibilities set out in
the ISACA Code of Professional Ethics

18
Framework (cont.)

19
Framework (cont.)

20
Framework – 1001 and 1002
1001– Audit Charter 1002– Organizational

Independence
• Document the audit • Stay independent of the
function appropriately in an area or activity being
audit charter, indicating reviewed to permit
purpose, responsibility, objective completion of the
authority and accountability audit and assurance
• Agree upon and get the engagement
audit charter approved at an
appropriate level within the
enterprise

1003– Professional 1004– Reasonable Expectation

Independence
• Stay independent and • Reasonable expectation that:
objective in both attitude – an engagement can be
and appearance in all completed in accordance
with IS audit and assurance
matters related to audit and standards
assurance engagements – the scope enables
conclusion and addresses
restrictions
– Management understands
its obligations with respect
to relevant and timely
information

1005– Due Professional Care 1006– Proficiency
• Exercise due professional • Possess adequate skills and

care, including observance proficiency in conducting IS
of applicable professional audit and assurance
audit standards, in planning, engagements
performing and reporting on • Possess adequate
the results of engagements knowledge of the subject
matter
• Appropriate continuing
professional education and
training.

1007– Assertions 1008– Criteria
• Review the assertions • Select criteria that are

against which the subject objective, complete,
matter will be assessed to relevant, measureable,
determine that such understandable, widely
assertions are capable of recognised, authoritative
being audited and that the and understood
assertions are sufficient, • Select criteria issued by
valid and relevant relevant authoritative
bodies

1201– Engagement Planning 1202– Risk Assessment in Audit

Planning
• Address the objective(s), • Use an appropriate risk
scope, timeline and assessment approach and
deliverables, compliance supporting methodology to
with applicable laws and develop the overall IS audit
plan
professional auditing
• Identify and assess risk
standards
relevant to the area under
• Develop and document an review
IS audit or assurance • Evaluate subject matter risk,
engagement project plan audit risk and related
exposure to the enterprise

Framework – 1203
1203– Performance and Supervision
• Work in accordance with the approved IS audit plan to cover

identified risk
• Supervise IS audit staff to accomplish audit objectives and
meet audit standards
• Develop relevant knowledge and skills
• Obtain sufficient, reliable, relevant and timely evidence
• Document the audit process, audit work and audit evidence
• Identify and conclude on findings

Framework – 1204
1204 – Materiality
• Consider potential weaknesses or absences of controls while

planning an engagement
• consider the cumulative effect of minor control deficiencies or
weaknesses
• Disclose absence of controls or ineffective controls, significance of
the control deficiencies and probability of these weaknesses
resulting in a significant deficiency

1204 – Materiality 1205 – Evidence

• Consider potential weaknesses • Obtain sufficient and
or absences of controls appropriate evidence to draw
• Consider the cumulative effect reasonable conclusions
of minor control deficiencies • Evaluate the sufficiency of
• Disclose absence of controls or evidence obtained to support
ineffective controls, conclusions and achieve
significance of the control objectives
deficiencies and probability of
these weaknesses resulting in
a significant deficiency

Framework – 1206
1206 – Using the Work of Other Experts
• Consider using the work of other experts for the IS audit or

assurance engagement
• Assess and approve the adequacy of the other experts’ prior
to the IS audit or assurance engagement
• Document the extent of use and reliance on the work of other
experts.
• Apply additional test procedures where the work of other
experts does not provide sufficient and appropriate audit
evidence.

Framework – 1207
1207– Irregularity and Illegal Acts
• Consider the risk of irregularities and illegal acts

• Maintain an attitude of professional scepticism
• Document and communicate any material
irregularities or illegal act to the appropriate
party in a timely manner

1401 – Reporting 1402 – Follow-up Activities
• Provide a report to • Monitor relevant

communicate the results information to conclude
with details like, scope, whether management has
objectives, period of planned/taken appropriate,
coverage, extent of work timely action to address
performed, etc. reported audit findings and
recommendations

1.3.3 ISACA IS Audit and Assurance Guidelines
New #. Guideline (old #.) Effective Date

2001 Audit Charter (G5) 1 Feb 2008
2002 Organisational Independence (G12) 1 Aug 2008
2003 Professional’s Independence (G17) 1 May 2010
2004 Reasonable Expectation In development
2005 Due Professional Care (G7) 1 Mar 2008
2006 Proficiency (G30) 1 Jun 2005
2007 Assertions In development

32
1.3.3 ISACA IS Auditing and Assurance
Guidelines (cont.)

2008 Criteria In development
2201 Engagement Planning (G15) 1 May 2010
Risk Assessment in Audit Planning
2202 1 Aug 2008
(G13)
2203 Performance and Supervision (G8) 1 Mar 2008
2204 Materiality (G6) 1 May 2008
2205 Evidence (G2) 1 May 2008
Using the Work of Other Experts
2206 1 Mar 2008
(G1)

33
1.3.3 ISACA IS Auditing and Assurance
Guidelines (cont.)

2207 Irregularity and Illegal Acts (G9) 1 Sept 2008
2208 Audit Sampling (G10) 1 Aug 2008
2401 Reporting (G20) 16 Sept 2010
2402 Follow-up Activities (G35) 1 March 2006

34
1.3.4 ISACA IS Audit and Assurance Tools and
Techniques
• Guidance and examples of possible processes an IS auditor

might follow in an audit engagement.
• IS auditors should apply their own professional judgment to
the specific circumstances.

35
1.3.5 Relationship Among Standards,
Guidelines, and Tools and Techniques
Standards
• Must be followed by IS auditors
Guidelines
• Provide assistance on how to implement the standards
Tools and Techniques
• Provide examples for implementing the standards

36
1.3.6 Information Technology Assurance
Framework (ITAF™)

37
1.4 Risk Analysis
From the IS auditor’s perspective, risk analysis serves more than

one purpose:
•It assists the IS auditor in identifying risks and threats to an IT
environment and IS system—risks and threats that would need
to be addressed by management—and in identifying system
specific internal controls. Depending on the level of risk, this
assists the IS auditor in selecting certain areas to examine.

38
1.4 Risk Analysis (cont.)
• It helps the IS auditor in his/her evaluation of controls in audit

planning.
• It assists the IS auditor in determining audit objectives.
• It supports risk-based audit decision making.
• Part of audit planning
• Helps identify risks and vulnerabilities
• The IS auditor can determine the controls needed to mitigate
those risks

39
IS auditors must be able to:

• Be able to identify and differentiate risk types and the
controls used to mitigate these risks
• Have knowledge of common business risks, related
technology risks and relevant controls
• Be able to evaluate the risk assessment and management
techniques used by business managers, and to make
assessments of risk to help focus and plan audit work
• Have an understand that risk exists within the audit process

40
In analyzing the business risks arising from the use of IT, it is

important for the IS auditor to have a clear understanding of:
•The purpose and nature of business, the environment in which
the business operates and related business risks
•The dependence on technology and related dependencies that
process and deliver business information
•The business risks of using IT and related dependencies and
how they impact the achievement of the business goals and
objectives
•A good overview of the business processes and the impact of IT
and related risks on the business process objectives

41

42
1.5 Internal Controls
Policies, procedures, practices and organizational structures

implemented to reduce risks
•Classification of internal controls
– Preventive controls
– Detective controls
– Corrective control

43
1.5 Internal Controls (cont.)

44
1.5 Internal Controls (cont.)
Internal control system

• Internal accounting controls
• Operational controls
• Administrative controls

45
1.5.1 IS Control Objectives
Internal control objectives apply to all areas, whether manual or

automated. Therefore, conceptually, control objectives in an IS
environment remain unchanged from those of a manual
environment.

46
1.5.1 IS Control Objectives (cont.)
Specific IS control objectives may include:

•Safeguarding assets
•Ensuring the integrity of general operating system environments

47
• Ensuring the integrity of sensitive and critical application

system environments through:
– Authorization of the input
– Validation of the input
– Accuracy and completeness of processing of transactions
– All transactions are recorded accurately and entered into
the system for the proper period
– Reliability of overall information processing activities
– Accuracy, completeness and security of the output
– Database integrity

48
• Ensuring appropriate identification and authentication of

users of IS resources
• Ensuring the efficiency and effectiveness of operations
• Complying with requirements, policies and procedures, and
applicable laws
• Developing business continuity and disaster recovery plans
• Developing an incident response plan
• Implementing effective change management procedures

49
1.5.2 COBIT 5
IT Governance
Val IT 2.0
Evolution of
Management (2008)
Control
scope
Risk IT
(2009)
Audit
COBIT1 COBIT2 COBIT3 COBIT4.0/4.1
1996 1998 2000 2005/7 2012
An business framework from ISACA, at www.isaca.org/cobit

© 2012 ISACA® All rights reserved.
50
50
1.5.2 COBIT 5 (cont.)
The five COBIT 5 principles are:

1. Meeting Stakeholder Needs
2. Covering the Enterprise End-to-end
3. Applying a Single Integrated Framework
4. Enabling a Holistic Approach
5. Separating Governance From Management

51
Principle 1: Meeting Stakeholder Needs
• Stakeholder needs have to

be transformed into an
enterprise’s practical
strategy.
• The COBIT 5 goals cascade
translates stakeholder needs
into specific, practical and
customised goals within the
context of the enterprise, IT-
related goals and enabler
goals.

52 Source: COBIT® 5, figure 4. © 2012 ISACA® All rights reserved.
Principle 2: Covering the Enterprise End-to-end
Key
components
of a
governance
system
Source: COBIT® 5, figure 8. © 2012 ISACA® All rights reserved.

53
Principle 3: Applying a Single, Integrated
Framework
There are many IT-related standards and best practices, each

providing guidance on a subset of IT activities. COBIT 5 aligns
with other relevant standards and frameworks at a high level,
and thus can serve as the overarching framework for governance
and management of enterprise IT.

54
Principle 4: Enabling a Holistic Approach
COBIT 5 Enabler Dimensions:

• All enablers have a set of common dimensions. This set of
common dimensions:
– Provides a common, simple and structured way to deal with
enablers
– Allows an entity to manage its complex interactions
– Facilitates successful outcomes of the enablers
Source: COBIT® 5, figure

13. © 2012 ISACA® All
rights reserved.

55
Principle 5: Separating Governance From
Management
• Governance ensures that stakeholders needs, conditions and

options are evaluated to determine balanced, agreed-on
enterprise objectives to be achieved; setting direction
through prioritisation and decision making; and monitoring
performance and compliance against agreed-on direction and
objectives (EDM).
• Management plans, builds, runs and monitors activities in
alignment with the direction set by the governance body to
achieve the enterprise objectives (PBRM).

56
Principle 5: Separating Governance From
Management (cont.)
COBIT 5 is not
prescriptive, but it
advocates that
organisations
implement
governance and
management
processes such
that the key areas
are covered, as
shown.

57
1.5.3 General Controls
Apply to all • Internal accounting controls directed at

areas of an accounting operations
organization • Operational controls concerned with the day-
and include to-day operations
policies and • Administrative controls concerned with
practices operational efficiency and adherence to
established by management policies
management • Organizational logical security policies and
to provide procedures
reasonable • Overall policies for the design and use of
assurance that documents and records
specific • Procedures and features to ensure authorized
objectives will access to assets
be achieved. • Physical security policies for all data centers

58
1.5.4 IS Controls
IS control procedures include:

• Strategy and direction of the IT function
• General organization and management of the IT function
• Access to IT resources, including data and programs
• Systems development methodologies and change control
• Operations procedures
• Systems programming and technical support functions

59
1.5.4 IS Controls (cont.)
• Quality assurance procedures

• Physical access controls
• Business continuity/disaster recovery planning
• Networks and communications
• Database administration
• Protection and detective mechanisms against internal and
external attacks

60
1.6 Performing an IS Audit
Definition of auditing
Systematic process by which a competent, independent person
objectively obtains and evaluates evidence regarding assertions
about an economic entity or event for the purpose of forming an
opinion about and reporting on the degree to which the assertion
conforms to an identified set of standards.
Definition of IS auditing
Any audit that encompasses review and evaluation (wholly or
partly) of automated information processing systems, related
non-automated processes and the interfaces between them.

61
1.6.1 Classification of Audits
The IS auditor should understand the various types of audits that can
be performed, internally or externally, and the audit procedures
associated with each:
•Compliance audits
•Financial audits
•Operational audits
•Integrated audits
•Administrative audits
•IS audits
•Specialized audits
•Forensic audits

62
1.6.2 Audit Programs
• Based on the scope and objective of the particular assignment

• IS auditor’s perspectives:
– Security (confidentiality, integrity and availability)
– Quality (effectiveness, efficiency)
– Fiduciary (compliance, reliability)
– Service and capacity

63
1.6.2 Audit Programs (cont.)
General audit procedures are the basic steps in the performance

of an audit and usually include:
•Understanding of the audit area/subject
•Risk assessment and general audit plan
•Detailed audit planning
•Preliminary review of audit area/subject
•Evaluating audit area/subject
•Verifying and evaluating controls
•Compliance testing
•Substantive testing
•Reporting (communicating results)
•Follow-up

64
1.6.2 Audit Programs (cont.)
Procedures for Testing and Evaluating IS Controls

• Use of generalized audit software to survey the contents of data
files
• Use of specialized software to assess the contents of operating
system parameter files
• Flow-charting techniques for documenting automated applications
and business process
• Use of audit reports available in operation systems
• Documentation review
• Observation
• Walkthroughs
• Reperformance of controls

65
1.6.3 Audit Methodology
A set of documented audit procedures designed to achieve

planned audit objectives
•Composed of:
– Statement of scope
– Statement of audit objectives
– Statement of audit programs
•Set up and approved by the audit management
•Communicated to all audit staff

66
1.6.3 Audit Methodology (cont.)
Audit phases
• Audit subject
• Audit objective
• Audit scope
• Preaudit planning
• Audit procedures and steps for data gathering
• Procedures for evaluating the test or review results
• Procedures for communication with management
• Audit report preparation

67
Audit Phases Description

Identify Audit subject Identify the area to be audited.
Define the audit objective Identify the purpose of the audit.
For example, an objective might be to determine whether

program source code changes occur in a well-defined and
controlled environment.
Define the audit scope Identify the specific systems, function or unit of the organization
to be included in the review.
For example, in the previous program changes example, the

scope statement might limit the review to a single application
system or to a limited period of time.
Perform the preaudit • Identify technical skills and resources
planning • needed.
• Identify the sources of information for test or review such as
functional flow charts, policies, standards, procedures and prior
audit work papers.
• Identify locations or facilities to be audited.

68
Audit Phase - Continued Description

Audit procedures and steps for • Identify and select the audit approach to verify and test
data gathering the controls.
• Identify a list of individuals to interview.
• Identify and obtain departmental policies,
• standards and guidelines for review.
• Develop audit tools and methodology to test
• and verify control.
Procedures for evaluating the Organization-specific
test or review results
Procedures for communication Organization-specific
with management
Audit report preparation • Identify follow-up review procedures.
• Identify procedures to evaluate/test
• operational efficiency and effectiveness.
• Identify procedures to test controls.
• Review and evaluate the soundness of documents,
policies and procedures.

69
What is documented in work papers (WPs)?

• Audit plans
• Audit programs
• Audit activities
• Audit tests
• Audit findings and incidents

70
1.6.4 Fraud Detection
• Management’s responsibility
• Benefits of a well-designed internal control system
– Deterring fraud at the first instance
– Detecting fraud in a timely manner
• Fraud detection and disclosure
• Auditor’s role in fraud prevention and detection

71
1.6.5 Risk-based Auditing

72
1.6.6 Audit Risk and Materiality
Audit risk categories

• Inherent risk
• Control risk
• Detection risk
• Overall audit risk

73
1.6.7 Risk Assessment and Treatment
Assessing security risks

• Risk assessments should identify, quantify and prioritize risks
against criteria for risk acceptance and objectives relevant to
the organization
• Should be performed periodically to address changes in the
environment, security requirements and when significant
changes occur

74
1.6.7 Risk Assessment and Treatment (cont.)
Treating security risks

• Each risk identified in a risk assessment needs to be treated
• Possible risk responses include:
– Risk mitigation
– Risk acceptance
– Risk avoidance
– Risk transfer/sharing

75
1.6.8 Risk Assessment Techniques
• Enables management to effectively allocate limited audit

resources
• Ensures that relevant information has been obtained from all
levels of management
• Establishes a basis for effectively managing the audit
department
• Provides a summary of how the individual audit subject is
related to the overall organization as well as to the business
plan

76
1.6.9 Audit Objectives
Specific goals of the audit

• Compliance with legal and regulatory requirements
• Confidentiality
• Integrity
• Reliability
• Availability

77
1.6.10 Compliance vs. Substantive Testing
• Compliance test
– Determines whether controls are in compliance with

management policies and procedures
• Substantive test
– Tests the integrity of actual processing

• Correlation between the level of internal controls and substantive testing required
• Relationship between compliance and substantive tests

78
1.6.10 Compliance vs. Substantive Testing (cont.)
79

1.6.11 Evidence
It is a requirement that the auditor’s conclusions be based on

sufficient, competent evidence:
• Independence of the provider of the evidence
• Qualification of the individual providing the information or evidence
• Objectivity of the evidence
• Timing of the evidence

80
1.6.11 Evidence (cont.)
Techniques for gathering evidence:

• Review IS organization structures
• Review IS policies and procedures
• Review IS standards
• Review IS documentation
• Interview appropriate personnel
• Observe processes and employee
performance
• Reperformance
• Walkthroughs

81
1.6.12 Interviewing and Observing Personnel in
Performance of Their Duties
• Actual functions
• Actual processes/procedures
• Security awareness
• Reporting relationships
• Observation drawbacks

82
1.6.13 Sampling
General approaches to audit sampling:
• Statistical sampling
• Non-statistical sampling

83
1.6.13 Sampling (cont.)
Two primary methods of sampling used by IS auditors are:

•Attribute sampling
– Stop-or-go sampling
– Discovery sampling
•Variable sampling
– Stratified mean per unit
– Unstratified mean per unit
– Difference estimation

84
Statistical sampling terms:

• Confident coefficient
• Level of risk
• Precision
• Expected error rate
• Sample mean
• Sample standard deviation
• Tolerable error rate
• Population standard deviation

85
Key steps in choosing a sample:

• Determine the objectives of the test
• Define the population to be sampled
• Determine the sampling method, such as attribute versus
variable sampling
• Calculate the sample size
• Select the sample
• Evaluating the sample from an audit perspective

86
1.6.14 Using the Services of Other Auditors
and Experts
Considerations when using services of other auditors and

experts:
•Restrictions on outsourcing of audit/security services provided
by laws and regulations
•Audit charter or contractual stipulations
•Impact on overall and specific IS audit objectives
•Impact on IS audit risk and professional liability
•Independence and objectivity of other auditors and experts

87
1.6.14 Using the Services of
Other Auditors and Experts (cont.)
Considerations when using services of other auditors and

experts:
•Professional competence, qualifications and experience
•Scope of work proposed to be outsourced and approach
•Supervisory and audit management controls
•Method and modalities of communication of results of audit
work
•Compliance with legal and regulatory stipulations
•Compliance with applicable professional standards

88
1.6.15 Computer-assisted Audit Techniques
• CAATs enable IS auditors to gather information independently

• CAATs include:
– Generalized audit software (GAS)
– Utility software
– Debugging and scanning software
– Test data
– Application software tracing and mapping
– Expert systems

89
(cont.)
• Features of generalized audit software (GAS):

– Mathematical computations
– Stratification
– Statistical analysis
– Sequence checking
• Functions supported by GAS:
– File access
– File reorganization
– Data selection
– Statistical functions
– Arithmetical functions

90
(cont.)
Items to consider before utilizing CAATs:

• Ease of use for existing and future audit staff
• Training requirements
• Complexity of coding and maintenance
• Flexibility of uses
• Installation requirements
• Processing efficiencies
• Confidentiality of data being processed

91
(cont.)
Documentation that should be retained:

• Online reports
• Commented program listings
• Flowcharts
• Sample reports
• Record and file layouts
• Field definitions
• Operating instructions
• Description of applicable source documents

92
(cont.)
CAATs as a continuous online audit approach:

•Improves audit efficiency
•IS auditors must:
– develop audit techniques for use with advanced computerized
systems
– be involved in the creation of advanced systems
– make greater use of automated tools

93
1.6.16 Evaluation of Audit Strengths and
Weaknesses
• Assess evidence
• Evaluate overall control structure
• Evaluate control procedures
• Assess control strengths and weaknesses

94
1.6.16 Evaluation of Audit Strengths and
Weaknesses (cont.)
Judging materiality of findings
• Materiality is a key issue
• Assessment requires judgment of the potential effect of the

finding if corrective action is not taken

95
1.6.17 Communicating Audit Results
Exit interview Presentation techniques
• Correct facts • Executive summary

• Realistic recommendations • Visual presentation
• Implementation dates for
agreed recommendations
96 © Copyright 2014 ISACA. All rights reserved.

96
1.6.17 Communicating Audit Results (cont.)
Audit report structure and contents

• An introduction to the report
• Audit findings presented in separate sections
• The IS auditor’s overall conclusion and opinion
• The IS auditor’s reservations with respect to the audit
• Detailed audit findings and recommendations
• A variety of findings

97
1.6.18 Management Implementation of
Recommendations
• Auditing is an ongoing process

• Timing of follow-up

98
1.6.19 Audit Documentation
Audit documentation includes:

• Planning and preparation of the audit scope and objectives
• Description on the scoped audit area
• Audit program
• Audit steps performed and evidence gathered
• Other experts used
• Audit findings, conclusions and recommendations

99
1.7 Control Self-Assessment
• A management technique
• A methodology
• In practice, a series of tools
• Can be implemented by various methods

100
1.7 Control Self-Assessment (cont.)

101
1.7.1 Objectives of CSA
• Leverage the internal audit function by shifting some control

monitoring responsibilities to functional areas
• Enhancement of audit responsibilities, not a replacement
• Educate management about control design and monitoring
• Empowerment of workers to assess the control environment

102
1.7.2 Benefits of CSA
• Early detection of risks

• More effective and improved internal controls
• Increased employee awareness of organizational objectives
• Highly motivated employees
• Improved audit rating process
• Reduction in control cost
• Assurance provided to stakeholders and customers

103
1.7.3 Disadvantages of CSA
• Could be mistaken as an audit function replacement

• May be regarded as an additional workload
• Failure to act on improvement suggestions could damage
employee morale
• Lack of motivation may limit effectiveness in the detection of
weak controls

104
1.7.4 Auditor Role in CSA
• Internal control professionals
• Assessment facilitators

105
1.7.5 Technology Drivers for CSA
• Combination of hardware and software

• Use of an electronic meeting system
• Computer-supported decision aids
• Group decision making is an essential component

106
1.7.6 Traditional vs. CSA Approach
• Traditional Approach
– Assigns duties/supervises staff
– Policy/rule driven
– Limited employee participation
– Narrow stakeholder focus
• CSA Approach
– Empowered/accountable employees
– Continuous improvement/learning curve
– Extensive employee participation and training
– Broad stakeholder focus

107
1.8.1 Integrated Auditing
Process whereby appropriate audit disciplines are combined to

assess key internal controls over an operation, process or entity.
• Focuses on risk to the organization (for an internal auditor)
• Focuses on the risk of providing an incorrect or misleading audit
opinion (for an external auditor)

108
1.8.1 Integrated Auditing (cont.)
Process involves:
• Identification of risks faced by
organization and of relevant key
controls
• Review and understanding of the
design of key controls
• Testing that key controls are
supported by the IT system
• Testing that management controls
operate effectively
• A combined report or opinion on
control risks, design and
weaknesses

109
1.8.2 Continuous Auditing
• Distinctive character
– Short time lapse between the facts to be audited and the
collection of evidence and audit reporting
• Drivers
– Better monitoring of financial issues
– Allows real-time transactions to benefit from real-time
monitoring
– Prevents financial fiascoes and audit scandals
– Uses software to determine proper financial controls

110
1.8.2 Continuous Auditing (cont.)
Continuous monitoring Continuous auditing
• Provided by IS management • Audit-driven

tools • Completed using automated
• Based on automated audit procedures
procedures to meet
fiduciary responsibilities

111
Application of continuous auditing due to:

• New information technology developments
• Increased processing capabilities
• Standards
• Artificial intelligence tools

112
Prerequisites:
• A high degree of automation
• An automated and reliable information-producing process
• Alarm triggers to report control failures
• Implementation of automated audit tools
• Quickly informing IS auditors of anomalies/errors
• Timely issuance of automated audit reports
• Technically proficient IS auditors
• Availability of reliable sources of evidence
• Adherence to materiality guidelines
• Change of IS auditors’ mindset
• Evaluation of cost factors

113
IT techniques in a continuous auditing environment:

• Transaction logging
• Query tools
• Statistics and data analysis (CAAT)
• Database management systems (DBMS)
• Data warehouses, data marts and data mining
• Intelligent agents
• Embedded audit modules (EAM)
• Neural network technology
• Standards such as Extensible Business Reporting Language

114
• Advantages
– Instant capture of internal control problems
– Reduction of intrinsic audit inefficiencies
• Disadvantages
– Difficulty in implementation
– High cost
– Elimination of auditors’ personal judgment and evaluation

115
1.9.1 Case Study A Scenario
The IS auditor has been asked to perform preliminary work that will
assess the readiness of the organization for a review to measure
compliance with new regulatory requirements. These requirements
are designed to ensure that management is taking an active role in
setting up and maintaining a well-controlled environment and,
accordingly, will assess management’s review and testing of the
general IT control environment.
Areas to be assessed include logical and physical security, change

management, production control and network management, IT
governance, and end-user computing. The IS auditor has been given six
months to perform this preliminary work, so sufficient time should be
available. It should be noted that in previous years, repeated problems
have been identified in the areas of logical security and change
management, so these areas will most likely require some degree of
remediation.

1.9.1 Case Study A Scenario (cont.)
Logical security deficiencies noted included the sharing of

administrator accounts and failure to enforce adequate controls over
passwords. Change management deficiencies included improper
segregation of incompatible duties and failure to document all
changes. Additionally, the process for deploying operating system
updates to servers was found to be only partially effective.
In anticipation of the work to be performed by the IS auditor, the chief

information officer (CIO) requested direct reports to develop narratives
and process flows describing the major activities for which IT is
responsible. These were completed, approved by the various process
owners and the CIO, and then forwarded to the IS auditor for
examination.

Case Study A Question – A1
What should the IS auditor do FIRST?

A. Perform an IT risk assessment.
B. Perform a survey audit of logical access controls.
C. Revise the audit plan to focus on risk-based auditing.
D. Begin testing controls that the IS auditor feels are most
critical.

Case Study A Question – A2
When testing program change management, how should the

sample be selected?
A. Change management documents should be selected at
random and examined for appropriateness.
B. Changes to production code should be sampled and
traced to appropriate authorizing documentation.
C. Change management documents should be selected
based on system criticality and examined for appropriateness.
D. Changes to production code should be sampled and
traced back to system-produced logs indicating the date and
time of the change.

1.9.2 Case Study B Scenario
An IS auditor is planning to review the security of a financial

application for a large company with several locations
worldwide. The application system is made up of a web
interface, a business logic layer and a database layer. The
application is accessed locally through a LAN and remotely
through the Internet via a virtual private network (VPN)
connection.

Case Study B Question – B1
The MOST appropriate type of CAATs tool the auditor should use
to test security configuration settings for the entire application
system is:
A. generalized audit software.
B. test data.
C. utility software.
D. expert system.

Given that the application is accessed through the Internet, how

should the auditor determine whether to perform a detailed
review of the firewall rules and virtual private network (VPN)
configuration settings?
A. Documented risk analysis
B. Availability of technical expertise
C. Approach used in previous audit
D. IS auditing guidelines and best practices

During the review, if the auditor detects that the transaction

authorization control objective cannot be met due to a lack of
clearly defined roles and privileges in the application, the auditor
should FIRST:
A. review the authorization on a sample of transactions.
B. immediately report this finding to upper management.
C. request that auditee management review the
appropriateness of access rights for all users.
D. use a generalized audit software to check the integrity of
the database.

1.9.3 Case Study C Scenario
An IS auditor has been appointed to carry out IS audits in an

entity for a period of 2 years. After accepting the appointment,
the IS auditor noted that:
– The entity has an audit charter that detailed, among other things, the
scope and responsibilities of the IS audit function and specifies the
audit committee as the overseeing body for audit activity.
– The entity is planning a major increase in IT investment, mainly on
account of implementation of a new ERP application, integrating
business processes across units dispersed geographically. The ERP
implementation is expected to become operational within the next 90
days. The servers supporting the business applications are hosted
offsite by a third-party service provider.

1.9.3 Case Study C Scenario (continued)
– The entity has a new incumbent as chief information security officer

(CISO), who reports to the chief financial officer (CFO).
– The entity is subject to regulatory compliance requirements that
require its management to certify the effectiveness of the internal
control system as it relates to financial reporting. The entity has been
recording growth at double the industry average consistently over the
last two years. However, the entity has seen increased employee
turnover as well.

Case Study Question – C1
The FIRST priority of the IS auditor in year 1 should be to study

the:
A. previous IS audit reports and plan the audit schedule.
B. audit charter and plan the audit schedule.
C. impact of the new incumbent as CISO.
D. impact of the implementation of a new ERP on the IT
environment and plan the audit schedule.

Case Study Question – C2
How should the IS auditor evaluate backup and batch processing

within computer operations?
A. Plan and carry out an independent review of computer
operations.
B. Rely on the service auditor’s report of the service
provider.
C. Study the contract between the entity and the service
provider.
D. Compare the service delivery report to the service level
agreement.

Practice Question – 1-1
Which of the following establishes the overall authority to

perform an IS audit?
A. The audit scope, with goals and objectives
B. A request from management to perform an audit
C. The approved audit charter
D. The approved audit schedule

In performing a risk-based audit, which risk assessment is

completed initially by the IS auditor?
A. Detection risk assessment
B. Control risk assessment
C. Inherent risk assessment
D. Fraud risk assessment

While developing a risk-based audit program, on which of the

following would the IS auditor MOST likely focus?
A. Business processes
B. Critical IT applications
C. Operational controls
D. Business strategies

Which of the following types of audit risk assumes an absence of

compensating controls in the area being reviewed?
A. Control risk
B. Detection risk
C. Inherent risk
D. Sampling risk

An IS auditor performing a review of an application’s controls

finds a weakness in system software that could materially impact
the application. The IS auditor should:
A. disregard these control weaknesses, as a system software
review is beyond the scope of this review.
B. conduct a detailed system software review and report the
control weaknesses.
C. include in the report a statement that the audit was limited to a
review of the application’s controls.
D. review the system software controls as relevant and
recommend a detailed system software review.

Which of the following is the MOST important reason why an

audit planning process should be reviewed at periodic intervals?
A. To plan for deployment of available audit resources
B. To consider changes to the risk environment
C. To provide inputs for documentation of the audit charter
D. To identify the applicable IS audit standards

Which of the following is MOST effective for implementing a

control self-assessment (CSA) within business units?
A. Informal peer reviews
B. Facilitated workshops
C. Process flow narratives
D. Data flow diagrams

The FIRST step in planning an audit is to:

A. define audit deliverables.
B. finalize the audit scope and audit objectives
C. gain an understanding of the business’s objectives.
D. develop the audit approach or audit strategy.

The approach an IS auditor should use to plan IS audit coverage

should be based on:
A. risk.
B. materiality.
C. professional skepticism.
D. Sufficiency of audit evidence.

A company performs a daily backup of critical data and software

files and stores the backup tapes at an offsite location. The
backup tapes are used to restore the files in case of a disruption.
This is a:
A. preventive control.
B. management control.
C. corrective control.
D. detective control.

Conclusion
Chapter 1 Quick Reference Review

Page 29 of CISA Review Manual 2014

138
Questions
QUESTIONS
now

Ch1 2016CISA

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ch1 2016CISA

Uploaded by

Copyright:

Available Formats

2016 CISA REVIEW COURSE

© Copyright 2014 ISACA. All rights reserved.

Chapter 1: The Process of Auditing Information Systems

This course is designed to ensure that:

© Copyright 2014 ISACA. All rights reserved.

There are T1.1 Develop and implement a risk-based IT

© Copyright 2014 ISACA. All rights reserved.

T1.4 Report audit findings and make recommendations to

© Copyright 2014 ISACA. All rights reserved.

There are 10 KS1.1 Knowledge of ISACA IT Audit and

© Copyright 2014 ISACA. All rights reserved.

KS1.4 Knowledge of audit planning and audit project

© Copyright 2014 ISACA. All rights reserved.

KS1.7 Knowledge of evidence collection techniques (e.g.,

© Copyright 2014 ISACA. All rights reserved.

• Audit charter (or engagement letter)

© Copyright 2014 ISACA. All rights reserved.

• Limited number of IS auditors

© Copyright 2014 ISACA. All rights reserved.

Shot- term and Long-term Things to Consider

© Copyright 2014 ISACA. All rights reserved.

© Copyright 2014 ISACA. All rights reserved.

Regulatory requirements generally describe the:

• Correlation of the regulation to financial, operational and IS audit

© Copyright 2014 ISACA. All rights reserved.

Steps to determine compliance with external requirements:

• Document pertinent laws and regulations

• Assess whether management and the IS function have considered

© Copyright 2014 ISACA. All rights reserved.

• The Association’s Code of Professional Ethics provides

© Copyright 2014 ISACA. All rights reserved.

Framework for the ISACA IS Auditing Standards:

© Copyright 2014 ISACA. All rights reserved.

Objectives of • To inform management and other

© Copyright 2014 ISACA. All rights reserved.

© Copyright 2014 ISACA. All rights reserved.

© Copyright 2014 ISACA. All rights reserved.

1001– Audit Charter 1002– Organizational

© Copyright 2014 ISACA. All rights reserved.

1003– Professional 1004– Reasonable Expectation

© Copyright 2014 ISACA. All rights reserved.

1005– Due Professional Care 1006– Proficiency

• Exercise due professional • Possess adequate skills and

© Copyright 2014 ISACA. All rights reserved.

1007– Assertions 1008– Criteria

• Review the assertions • Select criteria that are

© Copyright 2014 ISACA. All rights reserved.

1201– Engagement Planning 1202– Risk Assessment in Audit

© Copyright 2014 ISACA. All rights reserved.

1203– Performance and Supervision

• Work in accordance with the approved IS audit plan to cover

© Copyright 2014 ISACA. All rights reserved.

• Consider potential weaknesses or absences of controls while

© Copyright 2014 ISACA. All rights reserved.

1204 – Materiality 1205 – Evidence

© Copyright 2014 ISACA. All rights reserved.

1206 – Using the Work of Other Experts

• Consider using the work of other experts for the IS audit or

© Copyright 2014 ISACA. All rights reserved.

1207– Irregularity and Illegal Acts

• Consider the risk of irregularities and illegal acts

© Copyright 2014 ISACA. All rights reserved.

1401 – Reporting 1402 – Follow-up Activities