Certified Information Systems Auditor (CISA®)

Domain 01: Process of Auditing Information Systems

An ISACA® Certification based on CISA® 2014 Curriculum.

Copyright 2014, Simplilearn, All rights reserved.
Copyright 2012-2014, Simplilearn, All rights reserved.
Objectives

After completing ● Describe the tasks and knowledge statements related to this domain
this domain, you
will be able to: ● Understand how an IS audit function should be managed

● Detail ISACA IS audit and Assurance Guidelines and Standards

● Discuss Internal Controls

● Discuss risks and analyze them

● Demonstrate how an information system audit should be performed

● Explain the control Assessment

● Expound the IS audit process

2 Copyright 2012-2014, Simplilearn, All rights reserved.

Introduction

Task and Knowledge statements:

● Tasks statements are what a CISA candidate is expected
to know how to perform.
● Knowledge statements are what a CISA student should
have a good grasp of in order to perform the tasks.
● Tasks and Knowledge Statements establish and maintain
the process of auditing information systems. Tasks can be
mapped to more than one knowledge statements.

3 Copyright 2012-2014, Simplilearn, All rights reserved.

Process of Auditing Information Systems
Knowledge Statement 1.1

Copyright 2012-2014, Simplilearn, All rights reserved.

ISACA IS Audit Best Practice Resources

Knowledge Statement 1.1

Knowledge of ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques,
Code of Professional Ethics and other applicable Standards

Explanation:
● Credibility of an audit is based on use of commonly accepted standard
● ISACA is the global pioneer of IS Assurance and Audit Guidelines, Tools and Techniques, Standards,
and Professionals Code of Ethics
● ISACA standards provide a universal benchmark for IS Audit

5 Copyright 2012-2014, Simplilearn, All rights reserved.

Main Areas of Coverage

The main areas covered under this knowledge statement include:

● ISACA Code of Professional Ethics
● ISACA Information Systems Assurance and Audit Standards Framework
● ISACA Information Systems Assurance and Audit Tools and Techniques
● ISACA Information Systems Assurance and Audit Guidelines
● Relationship among Guidelines, and Tools and Techniques and Standards

The CISA Exam will only test understanding of the application of the Standards and Guidelines.

To learn about Management of an IS Audit Function, please refer to the e-learning material.

6 Copyright 2012-2014, Simplilearn, All rights reserved.

ISACA Code of Professional Ethics

ISACA set forth a code governing the professional conduct and ethics of all certified IS auditors and
members of the association. Members and certification holders shall:
● Support the implementation of, and encourage compliance with, appropriate standards,
procedures and controls for information systems.
● Perform their duties with due diligence and professional care, in accordance with professional
standards and best practices.
● Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high
standards of conduct and character, and not engage in acts discreditable to the profession.
● Maintain the privacy and confidentiality of information obtained in the course of their duties,
unless disclosure is required by legal authority. Such information shall not be used for personal
benefit or released to inappropriate parties.
7 Copyright 2012-2014, Simplilearn, All rights reserved.
ISACA Code of Professional Ethics (contd.)

Members and certification holders shall also:

● Maintain competency in their respective fields and agree to undertake only those activities which
they can reasonably expect to complete with professional competence.
● Inform appropriate parties of the results of work performed, revealing all significant facts known
to them.
● Support the professional education of stakeholders in enhancing their understanding of
information systems security and control.
Failure to comply with code of professional ethics can result in an investigation into a member's
and/or certification holder's conduct and, ultimately, in disciplinary measures.

For ISACA definitions of Standards, Guidelines and Tools and Techniques, please refer to the e-learning material.

8 Copyright 2012-2014, Simplilearn, All rights reserved.

ISACA IT Audit and Assurance Standards Framework

Objectives of IS audit and assurance standards are to inform:

● IS auditors of the bare minimum level of performance needed to meet the professional
responsibilities set out in the Professional Code of Ethics;
● the management of the profession’s requirement concerning the work of audit practitioners; and
● holders of the CISA certification that failure to meet with these standards may result in a review
into the CISA holder’s conduct by the ISACA Board of Directors which may ultimately result in
disciplinary action.

9 Copyright 2012-2014, Simplilearn, All rights reserved.

ISACA IS Audit and Assurance Guidelines

ISACA IS Assurance Audit guidelines provide additional information on how to comply with ISACA
Information Technology Assurance and Audit Standards. The IS Auditor should use professional
judgment and be able to justify any differences.
Guidelines documents are identified by a prefix G, followed by the number. For example: “G10”.
There are 42 categories of guidelines.
Examples of important guidelines are:
● G5 – Audit Charter, effective 1 February 2008
● G9 – Audit Considerations for Irregularities and Illegal Acts, effective 1 September 2008
● G17 – Effect of Non-audit Role on the IS Audit and Assurance Professional’s Independence ,
effective 1 May 2010
● G35 – Follow-up Activities, effective 1 March 2006
10 Copyright 2012-2014, Simplilearn, All rights reserved.
ISACA IS Audit and Assurance Tools and Techniques

ISACA IS Audit and Assurance Tools and Techniques provide further examples of possible processes an
IS auditor may follow in an audit engagement. Tools and techniques are currently categorized into:
● Reference series (books)
● Audit/Assurance programs
● White papers
● Journal articles

It is not required for the Information System auditor to follow these tools and techniques; however, following
! these processes will provide a guarantee that the auditor is following standards.

To learn about Information Technology Assurance Framework (ITAF™), please refer to the e-learning material.

11 Copyright 2012-2014, Simplilearn, All rights reserved.

Process of Auditing Information Systems
Knowledge Statement 1.2

Copyright 2012-2014, Simplilearn, All rights reserved.

Risk Assessment and Risk Analysis

Knowledge Statement 1.2

Knowledge of risk assessment concepts, tools and techniques in an audit context

Explanation:
● Overall audit plan should focus on business risks related to use of IT
● Area under audit represents the audit scope
● Auditor to use risk analysis techniques to establish critical area to focus on in the audit scope
(focus to be on high risk areas)
● Limited audit resources require this kind of focus in drawing the audit plan

13 Copyright 2012-2014, Simplilearn, All rights reserved.

Main Areas of Coverage

The main areas covered under this knowledge statement include:

● Risk Analysis
● Audit Methodology
● Risk-Based Auditing
● Audit Risk and Materiality
● Risk Assessment and Treatment
● Risk Assessment techniques

14 Copyright 2012-2014, Simplilearn, All rights reserved.

Risk Analysis

Risk analysis assists an auditor in recognizing vulnerabilities and risks, and how they can define
controls to be put in place to ensure such risks are mitigated.

Risk is defined as the mixture of the likelihood of an event and its magnitude (ISO/IEC 73).

IT Risk is specifically the enterprise risk associated with the ownership, use, operation, influence,
involvement and adoption of Information Technology within a business (ISACA’s IT Risk Framework).

15 Copyright 2012-2014, Simplilearn, All rights reserved.

Risk Analysis (contd.)

From the Information System audit’s

view, risk analysis aids in the following:
● It helps the auditor identify threats
and risks within the IS environment.
● It assists in planning the audit by
evaluating controls in place.
● The auditor will be in a position to
know the audit objective.
● Decision making is easier as a risk-
based methodology is used.

16 Copyright 2012-2014, Simplilearn, All rights reserved.

Risk-Based Audit Approach

The risk-based audit approach is based on a concept in which determination of areas that should be
audited is based on the perceived level of risk.

Residual Risk – This represents management’s risk appetite. Normally, controls would be
implemented to mitigate risk to acceptable levels (i.e. residual risk).

Audit risk is the risk that:

● a report or information might contain an error that is material;
● might be undetected through the audit period.

17 Copyright 2012-2014, Simplilearn, All rights reserved.

Inherent, Control, Detection and Overall Audit Risk

Following are different types of risk:

Inherent Risk Control Risk Detection Risk Overall Audit Risk

Probability of an error Probability that a Probability that the Summation all audit
existing that might be material error exists Information Systems risk groups for each
material assuming which will not be Auditor (ISA) used control objective
compensating controls prevented or detected inadequate checks and
do not exist. It: in a timely basis by the surmises that material
• exists irrespective of system of internal errors are absent, when
an audit controls in fact, they do

• is contributed to by
the nature of a
business

18 Copyright 2012-2014, Simplilearn, All rights reserved.

Risk Assessment and Treatment

Risk Assessment
● Risks assessments involves identifying, prioritizing and quantifying risks against a criteria for risk
tolerance and objectives relevant in the organization.
● Risk assessments should be carried out regularly to ensure it addressed changes in security, risk
situation and environment, especially when key changes takes place.
Risk Treatment
● Risk Mitigation– applying adequate controls to lower the risks
● Risk acceptance – objectively and knowingly not taking action
● Risk avoidance – Evading risks by ensuring actions that cause the risk are prevented.
● Risk transfer/sharing – Sharing the risk with third parties such as suppliers or insurance
companies.
19 Copyright 2012-2014, Simplilearn, All rights reserved.
Risk Assessment Methods

Different methods are employed to perform risk assessments. Examples: Scoring System Method and
Judgmental Method
● A combination of methods may be used
● Methods may develop and change over time
● All methods depend on subjective judgment
● Auditor should evaluate appropriateness of any chosen risk methodology

20 Copyright 2012-2014, Simplilearn, All rights reserved.

Process of Auditing Information Systems
Knowledge Statement 1.3

Copyright 2012-2014, Simplilearn, All rights reserved.

Control Objectives and IS Controls

Knowledge Statement 1.3

Knowledge of control objectives and controls related to information systems

Explanation:
● IS Auditing involves assessment of IS-related controls and understanding control objectives
● It also involves identifying key controls that help achieve a well controlled environment (i.e. as per
standards)
● COBIT provides a control framework that the IS auditor can use to benchmark IS audit control
objectives

22 Copyright 2012-2014, Simplilearn, All rights reserved.

Main Areas of Coverage

The main areas covered under this knowledge statement include:

● Audit Planning
● IS Control Objectives
● COBIT 5
● IS Controls

Although COBIT is an excellent resource for CISA Exam preparation COBIT definitions or references will
not be tested in the final CISA exam.

23 Copyright 2012-2014, Simplilearn, All rights reserved.

Internal Controls

Internal Controls is a process in which an enterprise’s structure, authority and work flows,
management information systems are implemented to achieve specific objectives while minimizing
risk. They:
● comprise enterprise structures, procedures, policies and practices implemented to lower the level
of risk in an enterprise;
● can be manual or automated.

24 Copyright 2012-2014, Simplilearn, All rights reserved.

Internal Controls (contd.)

Internal Controls consider two things:

● What can be attained ?
● What can be evaded ?

Internal controls procedures have two categories:

● General control procedures
● Information system control procedures

25 Copyright 2012-2014, Simplilearn, All rights reserved.

Classification of Internal Controls

Following is the classification of internal controls:

● Prevent issues; Predict, detect problems before they occur.

Preventive ● Example: Locking an office to prevent unauthorized access or theft, Authentication
Controls
mechanisms like RSA Tokens to avoid Man in the middle attacks (MiM)

Corrective
● Minimizes the impact of a threat, identify cause of problem etc.
Controls ● Example: Backup will ensure recovery by restoring data from the magnetic tapes, virtual
tape libraries or other backup technology in use.

Detective ● Report incidence of errors, attack, omission, as they occur

Controls ● Example: Logical and physical access logging such as application audit trails, database
security logging, server room access control door logging to know who went in and when.

26 Copyright 2012-2014, Simplilearn, All rights reserved.

IS Control Objectives

IS control objectives provide top-level requirements by management for adequate control of each
Information Technology process. IS control objectives are:
● a statement of the preferred purpose or result to be attained by applying controls around
information systems processes;
● procedures, policies, organizational structures and practices; and
● intended to reasonably assure that enterprise objectives will be achieved while undesired events
are detected, corrected or prevented.

27 Copyright 2012-2014, Simplilearn, All rights reserved.

IS Control Objectives – Examples

Examples of IS Control Objectives:

● Ensure Integrity of the system such as Operating System integrity.
● Ensure integrity of the sensitive and critical application systems (e.g. sensitive financial data or
customer data).
● Safeguard assets.
● Ensure effectiveness and efficiency of operations.
● Ensure proper authentication process for users.
● Ensure the effectiveness of the objective.
● Ensure availability of service through Disaster Recovery Plan and Business Continuity Planning.

To learn about COBIT®5, please refer to the e-learning material.

28 Copyright 2012-2014, Simplilearn, All rights reserved.

IS Controls

IS control procedures include the following:

Strategy and direction of the IT General organization and Access to Information Technology
function management of the IT function programs, data and resources

System programming and system

System development procedures Operation procedures
support departments

Physical access controls Business Continuity (BCP) Quality Assurance (QA) processes

Detective and protection

Communications and networks Database administration
mechanisms

To learn about Classification of Audits, please refer to the e-learning material.

29 Copyright 2012-2014, Simplilearn, All rights reserved.

Process of Auditing Information Systems
Knowledge Statement 1.4

Copyright 2012-2014, Simplilearn, All rights reserved.

Audit Planning, Project Management Techniques and Follow-up

Knowledge Statement 1.4

Knowledge of audit planning and audit project management techniques, including follow-up

Explanation:
● Adequate audit planning is required to achieve audit objectives within time and budget constraints
for a given audit scope
● Preplanning for efficient and effective use of audit resources (i.e. time, people etc.)
● Audit project planning and management techniques

31 Copyright 2012-2014, Simplilearn, All rights reserved.

Main Areas of Coverage

The main areas covered under this knowledge statement include:

● Audit Methodology
● IS Audit Resources Management
● Audit Objectives
● Effect of Laws and Regulations on IS Audit Planning
● Audit Programs
● Audit Planning

32 Copyright 2012-2014, Simplilearn, All rights reserved.

Audit Program

An Audit Work Program represents the audit plan and strategy. It has audit procedures, scope and objectives. The
Audit Work Program:
● is a guide for documenting various audit steps performed and the types and extent of evidential matters
reviewed;
● provides a trail of the process used; and
● provides accountability for performance.
IS Audit Process Steps
● Plan – assess risks, develop audit program: objectives, procedures (Guidance 5)
● Obtain and evaluate evidence – strengths and weaknesses of controls
● Prepare and present report – draft and final report
● Follow-up – corrective actions taken by management (Guidance 35)

To learn about Audit Procedures, please refer to the e-learning material.

33 Copyright 2012-2014, Simplilearn, All rights reserved.

Audit Methodology

Audit Methodology refers to standard audit procedures to be used to attain objectives of the audit.
It is a documented approach for performing the audit in a continuous and recurring manner in order
to achieve the planned audit objectives.

Audit Methodology Components

● Scope
● Audit objectives
● Work programs

To learn about Audit Methodology Phases, please refer to the e-learning material.

34 Copyright 2012-2014, Simplilearn, All rights reserved.

Process of Auditing Information Systems
Knowledge Statement 1.5

Copyright 2012-2014, Simplilearn, All rights reserved.

Fundamental Business Processes

Knowledge Statement 1.5

Knowledge of fundamental business processes (e.g., purchasing, payroll, accounts payable,
accounts receivable) including relevant IT

Explanation:
● Identification of key enterprise’s risks requires understanding of the organization, its environment,
and control objectives
● Type and nature of transactions the entity engages in, and with whom
● Flow of this transaction and how they are captured into information systems

36 Copyright 2012-2014, Simplilearn, All rights reserved.

Fundamental Business Processes– Transactions Examples

Examples:
A bank may have various transactions such as mobile banking, ATM transactions, over the counter
transactions (e.g. deposits, withdrawals) etc.
A chain store may have PoS (Point of Sale) transactions with credit card information, or cash extranet
transactions with suppliers (Electronic Data Interchange) etc.

37 Copyright 2012-2014, Simplilearn, All rights reserved.

Main Areas of Coverage

The main areas covered under this knowledge statement include:

● Risk Analysis
● IS Control Objectives
● IS Controls
● COBIT 5

38 Copyright 2012-2014, Simplilearn, All rights reserved.

Process of Auditing Information Systems
Knowledge Statement 1.6

Copyright 2012-2014, Simplilearn, All rights reserved.

Applicable Laws and Regulations for IS Audit

Knowledge Statement 1.6

Knowledge of fundamental business processes (e.g., purchasing, payroll, accounts payable,
accounts receivable) including relevant IT

● Fraud investigations or legal proceedings require the integrity of the evidence be maintained
throughout its life cycle (called chain of custody in forensic evidence)
● Legal requirements include law, regulation and/or contractual agreements placed on Audit (or IS
Audit) or the Auditee . Management and audit personnel in an organization should be aware of
external requirements for computer system practises and controls. How data is processed,
transmitted and stored. There is need to comply with different laws raise legal requirements that
impact on audit objectives and audit scope.

40 Copyright 2012-2014, Simplilearn, All rights reserved.

Main Areas of Coverage

The main areas covered under this knowledge statement include:

● Evidence
● Audit Documentation
● Continuous Auditing

To learn about Effect of Laws and Regulation on IS Audit Planning, please refer to the e-learning material.

41 Copyright 2012-2014, Simplilearn, All rights reserved.

Process of Auditing Information Systems
Knowledge Statement 1.7

Copyright 2012-2014, Simplilearn, All rights reserved.

Evidence Collection Techniques

Knowledge Statement 1.7

Knowledge of evidence collection techniques (e.g., observation, inquiry, inspection, interview,
data analysis) used to gather, protect and preserve audit evidence

Explanation:
● Audit findings must be supported by objective evidence
● Know techniques to gather and preserve evidence
● Information gathered through inquiry, observation, interview, analysis using CAATs (Computer
Assisted Auditing Techniques) such ACL, IDEA among others.
● Electronic media may be used to retain audit evidence to support audit findings
● Retention policies should meet requirements for such evidence to support audit findings

43 Copyright 2012-2014, Simplilearn, All rights reserved.

Main Areas of Coverage

The main areas covered under this knowledge statement include:

● Computer Assisted Audit Techniques (CAATs)
● Evidence
● Interviewing and Observing Personnel in Performance of their duties
● Continuous Auditing
● Audit Documentation

44 Copyright 2012-2014, Simplilearn, All rights reserved.

Evidence

Evidence:
● is the information the Information Systems Auditor (ISA) gathers in the course of performing an IS
audit to meet audit objectives; by supporting the audit findings.
● must directly relate to the objectives of the review.
● gathering is very key to the audit process.
● is mandatory under standard ‘S6 Performance of Audit Work’.
● should be appropriately organized and documented to support findings and conclusion(s).

45 Copyright 2012-2014, Simplilearn, All rights reserved.

Reliability of Evidence

Determinants for the reliability of evidence include:

● Independence of the provider of the evidence
● Qualification of the individual providing the information/evidence
● Objectivity of the evidence
● Timing of the evidence

Given an audit scenario in the exam, a candidate should be able to determine which type of evidence
gathering technique would be best.

46 Copyright 2012-2014, Simplilearn, All rights reserved.

Evidence Characteristics and Types

The confidence level of evidence is based on its value. Audit evidence is considered:
● sufficient if it is complete, adequate, convincing and would lead another ISA to form the same
conclusions;
● useful if it assists ISAs in meeting their audit objectives;
● reliable if in the auditors opinion, it is valid, factual, objective and supportable; and
● relevant if it pertains to the audit objectives and has a logical relationship to the findings and
conclusions it is used to support.

To learn about Types of Audit Evidence and Techniques for Gathering Evidence, please refer to the e-learning material.

47 Copyright 2012-2014, Simplilearn, All rights reserved.

Techniques for Gathering Evidence

Techniques for gathering evidence include the following:

● Reviewing IS organizational structures
● Reviewing IS documentation
● Reviewing IS Standards
● Reviewing IS Policies and Procedures
● Interviewing appropriate personnel
● Observing processes and employee performance
● Reperfomance
● Walkthroughs

48 Copyright 2012-2014, Simplilearn, All rights reserved.

Audit Documentation

Audit documentation should, at a minimum, include a record of:

● Planning and preparation of audit scope and objectives
● Description and or walkthroughs on the scoped audit area
● Audit program
● Audit steps performed and audit evidence gather
● Use of services of other auditors or experts
● Audit findings, conclusions and recommendations
● Audit documentation relation with document identification and dates

49 Copyright 2012-2014, Simplilearn, All rights reserved.

Process of Auditing Information Systems
Knowledge Statement 1.8

Copyright 2012-2014, Simplilearn, All rights reserved.

Sampling Methodologies

Knowledge Statement 1.3

Knowledge of different sampling methodologies

Explanation:
● Compliance testing involves gathering evidence in order to test the enterprise’s compliance with
control procedures.
● Substantive testing is evidence gathered to evaluate the integrity of individual transactions, data
or other information.
● Presence of adequate internal controls (established through compliance testing) minimizes the
number of substantive tests that have to be done.

51 Copyright 2012-2014, Simplilearn, All rights reserved.

Sampling Methodologies (contd.)

● Conversely weaknesses in internal controls will increase the need or number of substantive tests.
● Sampling is done when it is not logical to test or verify all transactions by consideration of the time
and cost needed. (i.e. the population- this consists of all items in the area being examined)

Main Areas of Coverage:

● Compliance Versus Substantive testing
● Sampling

52 Copyright 2012-2014, Simplilearn, All rights reserved.

Sampling

A sample is a subset of population members used to infer characteristics about a population, based
on the results of examining characteristics of a sample of the population.
● A population consists of the entire group of items that need to be examined.
● The sample must represent as closely as possible the characteristics of the whole population.

! IS Auditor is not expected to be a sampling expert but should have knowledge of general sampling
principles and how to design one that can be relied upon.(Regulation requirements on organizations)

53 Copyright 2012-2014, Simplilearn, All rights reserved.

General Approaches to Sampling

Sampling can either be statistical or non-statistical.

Statistical Sampling Non-statistical Sampling

Uses objective method to determine: Uses subjective judgment to determine:
● Sample size ● Method of sampling
● Selection criteria ● Sample size
● Sample precision ● Sample selection
● Reliability or confidence level This cannot be used to not infer population
This can be used to infer population characteristics from sample and is not a
characteristics from sample and is the preferred method of sampling.
preferred method.

! Sampling risk is the risk that the auditor will draw the wrong conclusions from the sample. Both statistical
and non-statistical sampling require auditor judgment.

54 Copyright 2012-2014, Simplilearn, All rights reserved.

Attribute and Variable Sampling

Sampling methods are of two types, attribute sampling and variable sampling.

Attribute sampling Variable sampling

● Also known as proportional sampling Used to estimate the dollar value or some other
● Deals with presence or absence of an attribute unit of measure like weight. Also known as;
● Generally used in compliance testing ● dollar estimation or
● Conclusions expressed in rates of incidence ● mean estimation sampling or
● quantitative sampling
Types: ● Applied in substantive testing
● Attribute sampling or fixed sample size ● Provides conclusions related to deviations from
attribute sampling or frequency estimation norm
● Stop-or-go sampling Types:
● Discovery sampling ● Stratified mean per unit
● Un-stratified mean per unit
● Difference estimation

55 Copyright 2012-2014, Simplilearn, All rights reserved.

Computer-Assisted Audit Techniques (CAATs)

Automated tools and techniques used for gathering and analyzing data from computer systems to
meet a predetermined audit objective.

CAATs Examples of CAATs

CAATs process involves; ● Generalized audit software e.g. IDEA, ACL
● Understanding the client ● Utility software e.g. DBMS report writers
● Obtaining effective evidence ● Debugging and scanning software
● Data analysis ● Test Data
● Reporting ● Expert systems
● CAATs necessitated by differences in HW, SW ● SQL commands
environments, data structures, record formats, ● Third party access control software
processing functions ● Application software tracing and mapping
● Options and reports build in a system

56 Copyright 2012-2014, Simplilearn, All rights reserved.

Computer Assisted Audit Techniques (CAATs) (contd.)

Functional capabilities of Generalized Audit Software (GAS) are as follows:

● File access – reading different file structures and record formats
● File reorganization – indexing, sorting, merging, linking
● Data selection – filtration conditions, selection criteria
● Statistical functions – sampling, stratifications, frequency analysis
● Arithmetic functions – arithmetic operators and functions

57 Copyright 2012-2014, Simplilearn, All rights reserved.

Computer Assisted Audit Techniques (CAATs) (Contd.)

Things to consider for CAATs

● Cost benefit analysis
● Ease of use for current and future audit staff
● Training requirements
● Complexity of coding and maintenance
● Flexibility of uses
● Installation requirements
● Processing efficiencies
● Effort to obtain source data into CAAT
● Integrity of imported data by safeguarding authenticity
● Recording time stamp of data downloaded at critical point for credibility of review
● Reliability of software
● Confidentiality of data being processed

58 Copyright 2012-2014, Simplilearn, All rights reserved.

Process of Auditing Information Systems
Knowledge Statement 1.9

Copyright 2012-2014, Simplilearn, All rights reserved.

Reporting and Communication Techniques

Knowledge Statement 1.9

Knowledge of reporting and communication techniques (e.g., facilitation, negotiation, conflict
resolution, audit report structure)

Explanation:
● Communication needs to be effective and clear in order to improve the quality of the audit and
maximize results.
● When an argument ensues between the auditor and the auditee during the final IS audit findings
report presentation over the accuracy of the findings in the report, it makes the audit process
counter intuitive and quickly dilutes the audit process and its value.

60 Copyright 2012-2014, Simplilearn, All rights reserved.

Reporting and Communication Techniques (contd.)

● Audit findings reported to stakeholders need to have appropriate buy-in from the auditees for the
audit process to be successful and value adding.
● Communication skills determine the effectiveness of the audit reporting process.
● Communication and negotiation are required skills are required throughout the audit activity.

Main Areas of Coverage:

● Communicating Audit Results
● Information Technology Assurance Framework (ITAF) (Section 2600 – Reporting Standards)

61 Copyright 2012-2014, Simplilearn, All rights reserved.

Communication of Audit Results

During exit interviews the IS auditor should ensure:

● Facts presented in the report are accurate
● Recommendations are realistic and cost-effective
● Recommend implementation dates for agreed on recommendations
Presentation techniques include:
● Executive summary - Easy to read, concise report that present the summary of the entire report.
● Visual presentation – May include slides or computer graphics.

62 Copyright 2012-2014, Simplilearn, All rights reserved.

Communication of Audit Results (contd.)

Before communicating the results of an audit to senior management, the IS audit should discuss the
findings with management staff of the audited entity.
This is to ensure an agreement is reached for the findings as well as the corrective action to be taken
into consideration.

The CISA candidate should become familiar with the ISACA S7 Reporting and S8 Follow-up
Activities standard.

63 Copyright 2012-2014, Simplilearn, All rights reserved.

Process of Auditing Information Systems
Knowledge Statement 1.10

Copyright 2012-2014, Simplilearn, All rights reserved.

Audit Assurance Systems and Frameworks

Knowledge Statement 1.10

Knowledge of audit quality assurance systems and frameworks

Explanation:
● Auditing standards are minimum parameters to be taken into account when performing an audit
● IS auditor to understand the impact of the IS environment on traditional auditing practices and techniques to
ensure audit objective is achieved.
● Control Self Assessment (CSA) is a process in which an IS auditor can act in the role of facilitator to business process
owners to help them define and assess appropriate controls (taking into consideration the risk appetite of the
organization)
● Process owners are best placed to define appropriate controls, due to their process knowledge
● IS auditors helps process owners understand need for controls based on business risk.

65 Copyright 2012-2014, Simplilearn, All rights reserved.

Main Areas of Coverage

The main areas covered under this knowledge statement are:

● Audit programs
● Audit methodology
● Audit objectives
● Evaluation of audit strength and weakness
● Control Self Assessment (CSA)
● Objectives, advantages and disadvantages of CSA
● Auditors Role in CSA
● Using services of other Auditors and Experts
● Traditional vs. CSA Approach

66 Copyright 2012-2014, Simplilearn, All rights reserved.

Control Self Assessment (CSA)

CSA is a methodology used to review key business objectives, risks involved in achieving the business
objectives and internal controls designed to manage these business risks in a formal, documented,
collaborative process.

● CSA is a management technique that assures stakeholders, customers, and other parties that the
internal control system of the organization is reliable.

● It ensures employee are aware of business risk and that they conduct periodic , proactive reviews
of controls.

● CSA involves a series of tools on a continuum of sophistication ranging from simple questionnaires
to facilitated workshops.

67 Copyright 2012-2014, Simplilearn, All rights reserved.

Objectives of a CSA

The objectives of a CSA are to:

● leverage the internal audit function by shifting some of the control monitoring responsibilities to
the functional areas;
● ensure Line managers are in charge of monitoring controls; and
● educate management on control design and monitoring.

COBIT provides guidance on development of a CSA.

68 Copyright 2012-2014, Simplilearn, All rights reserved.

Benefits of a CSA

Benefits of a CSA include the following:

● More effective and improved internal controls
● Early detection of risk
● Create cohesive teams – employee involvement
● Develops sense of ownership of controls in employees and process owners.
● Improved audit rating process
● Reduction in control cost
● Increased communication between operations and top management
● Highly motivated employees
● Assurance provided to stakeholders and customers

69 Copyright 2012-2014, Simplilearn, All rights reserved.

CSA Disadvantages and Role of Auditor

Disadvantages of a CSA
● Might be mistaken as an audit function replacement.
● May be taken as additional workload (e.g. writing reports to management).
● Failure to act on improvement suggestions could damage employee morale.
● Inadequate motivation limits effectiveness in discovery of weak controls.

Auditors role in CSA

● Internal control professional and assessment facilitator (management staff are the one
participating in the CSA process not the auditor)

70 Copyright 2012-2014, Simplilearn, All rights reserved.

Traditional Vs. CSA Approach

The following table the traditional audit approach with CSA:

Traditional Audit Approach Description

Assigns tasks Empowered and accountable employees

Policy driven Continuous improvement learning curve

Limited employee participation Extensive employee participation and training

Limited stakeholders focus Broad stakeholder focus

Staff at all level, in all functions are the primary control

Auditors and other specialists
analyst

71 Copyright 2012-2014, Simplilearn, All rights reserved.

Domain One Exam Quick Pointers

1. The auditor is a facilitator in a control Self-assessment.

2. Examples of substantive tests include testing samples of an inventory of backup tapes.
3. Control self Assessment (CSA) enhances audit responsibility as one of its key objective.
4. Accountability cannot be enforced without authentication and identification in an access
control.
5. IS Auditors are will likely to perform compliance tests of internal controls if, after their initial
evaluation of the controls , they conclude that control risks are within acceptable limits.
6. Identification of high risk areas is the most important step in an audit plan.
7. The auditor should be aware of the data flows within an enterprise when assessing corrective,
preventive or detective controls.
8. Responsibility and accountability can be established by use of audit trails.
72 Copyright 2012-2014, Simplilearn, All rights reserved.
Domain One Exam Quick Pointers (contd.)

9. Identification of high risk areas should be the first point of concern when implementing a
continuous auditing, continuous monitoring systems.
10. Risk based auditing approach ensures that audit resources are allocated to the areas of highest
concern.
11. Inherent risk is the probability that an error exist which could be material assuming there are no
related compensating controls.
12. When an auditor has noted threats and impact on an enterprise, the auditor should also evaluate
existing controls.
13. To check for duplicates an audit can use generalized audit software.
14. Detection risk can be minimized by use of statistical sampling

73 Copyright 2012-2014, Simplilearn, All rights reserved.

Domain One Exam Quick Pointers (contd.)

15. An IS auditor should be concerned with lack of reporting of attacks on the network which are
successful.
16. Detection risk is the probability that the Information Systems Auditor (ISA) used an inadequate
checks and surmises that material errors are absent, when in fact, they do.
17. An integrated test facility is a useful audit tool as it carries out independent computation of
processed data.

74 Copyright 2012-2014, Simplilearn, All rights reserved.

Quiz

Copyright 2012-2014, Simplilearn, All rights reserved.

 QUIZ
An audit charter should:

a. Summarize the responsibilities, authority and scope of an internal audit department

b. Define audit processes

c. Outline audit goals and how to achieve them

d. Keep track with the change in information technology

76 Copyright 2012-2014, Simplilearn, All rights reserved.

 QUIZ
An audit charter should:

a. Summarize the responsibilities, authority and scope of an internal audit department.

b. Define audit processes

c. Outline audit goals and how to achieve them

d. Keep track with the change in information technology

Answer: a.
Explanation: An audit charter should summarize the responsibility, authority and scope of
an audit department. All other answers are wrong.
Copyright 2012-2014,Simplilearn,All rights reserved

77 Copyright 2012-2014, Simplilearn, All rights reserved.

 QUIZ
An audit report prepared by the information systems auditor should be supported by?
2

a. Supporting statements from Information Systems management

b. Work-papers of senior auditors

c. Control self-assessment from the organization

d. Appropriate, relevant and sufficient audit evidence

78 Copyright 2012-2014, Simplilearn, All rights reserved.

 QUIZ
An audit report prepared by the information systems auditor should be supported by?
2

a. Supporting statements from Information Systems management

b. Work-papers of senior auditors

c. Control self-assessment from the organization

d. Appropriate, relevant and sufficient audit evidence

Answer: c.
Explanation: An IS auditor should have statements from IS Management to ensure that they
are in agreement with the findings as well the corrective action to be taken.
Copyright 2012-2014,Simplilearn,All rights reserved

79 Copyright 2012-2014, Simplilearn, All rights reserved.

 An IS auditor is developing an audit plan for a repeat client. The IS auditor reviews the prior-year audit plan and
QUIZ finds that the previous plan was designed to review the company network and e-mail systems, which were
newly implemented last year, but the plan did not include reviewing the e-commerce web server. The company
3 IT manager indicates that this year the organization prefers to focus the audit on a newly-implemented
enterprise resource planning (ERP) application. How should the IS auditor respond?

a. Determine the highest-risk systems and plan the audit based on the results.

b. Audit the new ERP application as requested by the IT manager.

c. Audit both the e-commerce server and the ERP application.

d. Audit the e-commerce server since it was not audited last year.

80 Copyright 2012-2014, Simplilearn, All rights reserved.

 An IS auditor is developing an audit plan for a repeat client. The IS auditor reviews the prior-year audit plan and
QUIZ finds that the previous plan was designed to review the company network and e-mail systems, which were
newly implemented last year, but the plan did not include reviewing the e-commerce web server. The company
3 IT manager indicates that this year the organization prefers to focus the audit on a newly-implemented
enterprise resource planning (ERP) application. How should the IS auditor respond?

a. Determine the highest-risk systems and plan the audit based on the results.

b. Audit the new ERP application as requested by the IT manager.

c. Audit both the e-commerce server and the ERP application.

d. Audit the e-commerce server since it was not audited last year.

Answer: c.
Explanation: The best course of action is to conduct a risk assessment and design the audit plan to cover
the areas of highest risk. The IS auditor should not rely on the prior-year audit plan since it may not have
been designed to reflect a risk-based approach.
Copyright 2012-2014,Simplilearn,All rights reserved

81 Copyright 2012-2014, Simplilearn, All rights reserved.

 QUIZ When testing program change requests, an IS auditor found that the population of
changes was too small to provide a reasonable level of assurance. What is the most
4 appropriate action for the IS auditor to take?

a. Report the finding to management as a deficiency.

b. Create additional sample changes to programs.

c. Develop an alternate testing procedure.

d. Perform a walk-through of the change management process.

82 Copyright 2012-2014, Simplilearn, All rights reserved.

 QUIZ When testing program change requests, an IS auditor found that the population of
changes was too small to provide a reasonable level of assurance. What is the most
4 appropriate action for the IS auditor to take?

a. Report the finding to management as a deficiency.

b. Create additional sample changes to programs.

c. Develop an alternate testing procedure.

d. Perform a walk-through of the change management process.

Answer: d.
Explanation: If a sample size objective cannot be met with the given data, the IS auditor would not be able
to provide assurance regarding the testing objective. In this instance, the IS auditor should develop (with
audit management approval) an alternate testing procedure.
Copyright 2012-2014,Simplilearn,All rights reserved

83 Copyright 2012-2014, Simplilearn, All rights reserved.

 QUIZ The main advantage derived from an enterprise employing control self-assessment
5 (CSA) process is that it:

a. enables management to delegate responsibility

b. can replace the traditional audit methods

c. allows the auditor is independently allowed to assess risks

d. identifies high-risks areas that require a later detailed review

84 Copyright 2012-2014, Simplilearn, All rights reserved.

 QUIZ The main advantage derived from an enterprise employing control self-assessment
5 (CSA) process is that it:

a. enables management to delegate responsibility

b. can replace the traditional audit methods

c. allows the auditor is independently allowed to assess risks

d. identifies high-risks areas that require a later detailed review

Answer: d.
Explanation: Control Self Assessment is based on the review of high-risk areas that will
need a more thorough review at a later date or either an immediate attention
Copyright 2012-2014,Simplilearn,All rights reserved

85 Copyright 2012-2014, Simplilearn, All rights reserved.

Summary

Here is a quick This domain outlines the framework for performing IS auditing, specifically
recap of what we
including those mandatory requirements regarding IS auditor mission and
have learned in this
domain: activity, as well as best practices to achieve a favorable IS auditing outcome.

86 Copyright 2012-2014, Simplilearn, All rights reserved.

 This concludes the domain on process of auditing information systems.

The next domain covers IT Governance and Management.

An ISACA® Certification based on CISA® 2014 Curriculum.

Copyright 2014, Simplilearn, All rights reserved.
Copyright 2012-2014, Simplilearn, All rights reserved.