CISA_Student_Handout_Domain1.pdf

CISA Review Course 26th Edition Domain 1: The Process ofAuditing Information Systems ABOUT THE CISA EXAM CISA EXAM PREPARATION ©Copyright 2016 ISACA. All rights reserved. Welcome! CISA Certification This program is designed to prepare you for success on CISA certification benefits include: the CISA exam, one step in the process of becoming certified. Helps you Confirms and The program will include: Gives you a achieve a high demonstrates competitive o Information about the CISA exam and certification professional your knowledge edge standard and experience o Detailed coverage of the body of knowledge required by CISA Quantifies and Provides global Increases your recognition as a o Activities, exam discussion questions, and group markets your mark of value to your experience organization discussions excellence o Real-world examples of CISA subject matter 3 © Copyright 2016 ISACA. All rights reserved. 4 © Copyright 2016 ISACA. All rights reserved. © 2016. ISACA. All Rights Reserved. 1 CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems CISA Accreditation The CISA Exam The American National Standards Institute (ANSI) has accredited The CISA exam is offered three times a year, in June, CISA under ISO/IEC 17024:2012, General Requirements for September and December. Bodies Operating Certification Schemes for Persons. Exam registration dates: Accreditation by ANSI achieves the following: o Promotes the unique qualifications and expertise o Registration opens approximately eight months prior certifications provide to exam date. o Protects the integrity of the certifications and provides legal o Early registration ends approximately five months defensibility prior to exam date. o Enhances consumer and public confidence in the o Registration closes approximately eight weeks prior to certifications and the people who hold them exam date. o Facilitates mobility across borders or industries Register at www.isaca.org. More than 118,000 professionals have earned the CISA certification since it was introduced in 1978. 5 © Copyright 2016 ISACA. All rights reserved. 6 © Copyright 2016 ISACA. All rights reserved. About the CISA Exam Job Practice The CISA Certification Working Group oversees the Domain 1: The development of the CISA exam, ensuring that the job Domain 5: Process of Auditing Protection of Information practice is properly tested. Information Assets, 25% Systems, 21% The exam consists of 150 multiple-choice questions covering the CISA job practice domains. Domain 2: Governance and Management of IT, Domain 4: 16% Information Systems Operations, Maintenance and Service Management, 20% Domain 3: Information Systems Acquisition, Development and Implementation, 18% 7 © Copyright 2016 ISACA. All rights reserved. 8 © Copyright 2016 ISACA. All rights reserved. © 2016. ISACA. All Rights Reserved. 2 CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Basis of the CISA Exam Pre-Course Question 1 The CISA exam is based on a job practice. Which of the following is the MOST important skill an IS Topics that candidates are expected to understand are auditor should develop to understand the constraints of conducting an audit? described in a series of task and knowledge statements. A. Contingency planning o Task statements describe the specific tasks the CISA candidate should be able to perform. B. IS management resource allocation o Knowledge statements are the knowledge areas C. Project management required in order for the candidate to perform the D. Knowledge of internal controls tasks. Test questions are specifically designed to validate that the candidate possesses the knowledge to perform a given task. 9 © Copyright 2016 ISACA. All rights reserved. 10 © Copyright 2016 ISACA. All rights reserved. Pre-Course Question 2 Pre-Course Question 3 During an audit, an IS auditor notices that the IT department of a An IS auditor is evaluating a virtual machine based (VM- medium-sized organization has no separate risk management based) architecture used for all programming and testing only contains a few broadly described types of IT risk. What is environments. The production architecture is a three-tier the MOST appropriate recommendation in this situation? physical architecture. What is the MOST important IT A. Create an IT risk management department and establish an IT risk framework with the aid of external risk control to test to ensure availability and confidentiality of management experts. the web application in production? B. Use common industry standard aids to divide the A. Server configuration has been hardened appropriately. existing risk documentation into several individual types of risk which will be easier to handle. B. Allocated physical resources are available. C. No recommendation is necessary because the current C. System administrators are trained to use the virtual approach is appropriate for a medium-sized organization. machine (VM) architecture. D. Establish regular IT risk management meetings to D. The VM server is included in the disaster recovery plan identify and assess risk, and create a mitigation plan as (DRP). 11 © Copyright 2016 ISACA. All rights reserved. 12 © Copyright 2016 ISACA. All rights reserved. © 2016. ISACA. All Rights Reserved. 3 CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Pre-Course Question 4 Pre-Course Question 5 A database administrator has detected a performance Which of the following user profiles should be of MOST problem with some tables, which could be solved through concern to an IS auditor when performing an audit of an denormalization. This situation will increase the risk of: electronic funds transfer (EFT) system? A. concurrent access. A. Three users with the ability to capture and verify their B. deadlocks. own messages C. unauthorized access to data. B. Five users with the ability to capture and send their own D. a loss of data integrity. messages C. Five users with the ability to verify other users and to send their own messages D. Three users with the ability to capture and verify the messages of other users and to send their own messages 13 © Copyright 2016 ISACA. All rights reserved. 14 © Copyright 2016 ISACA. All rights reserved. Domain 1 Domain 1 Provide audit services in accordance with IS audit standards to assist the The Process of Auditing organization in protecting and controlling Information Systems information systems. ©Copyright 2016 ISACA. All rights reserved. 16 © Copyright 2016 ISACA. All rights reserved. © 2016. ISACA. All Rights Reserved. 4 of auditing information systems. 5 . © 2016. manner. All rights reserved.3 Conduct audits in accordance with IS audit standards to achieve planned audit objectives. All rights reserved. o Assist the organization with protecting and controlling information systems. 1. All rights reserved. 19 © Copyright 2016 ISACA. All Rights Reserved. controlled and provide value to the organization. 18 © Copyright 2016 ISACA. ISACA. All rights reserved. 20 © Copyright 2016 ISACA. with IS audit standards to ensure that key risk areas are Domain 1 incorporates five tasks related to the process audited. 1. On the CISA Exam Domain Tasks Domain 1 represents 21% of the questions on the CISA 1.2 Plan specific audits to determine whether information systems are protected. including a set of procedures and candidate has the knowledge necessary to: a thorough methodology that allows an IS auditor to o Provide audit services in accordance with IS audit perform an audit on any given IT area in a professional standards.1 Execute a risk-based IS audit strategy in compliance exam (approximately 32 questions).CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Domain Objectives The focus of Domain 1 is to encompass the entire The objective of this domain is to ensure that the CISA practice of IS auditing. 17 © Copyright 2016 ISACA. such as International Organization for Standardization (ISO).CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Task 1. 22 © Copyright 2016 ISACA. Key Terms Key Term Definition Key Term Definition Information systems The combination of strategic. distributing and using information and its related Tools and Tools and techniques provide examples of processes an technologies. managerial and Guideline A description of a particular way of accomplishing (IS) operational activities involved in gathering. The information technology (IT) in that an information system tools and techniques documents provide information on has an IT component that interacts with the process how to meet the standards when completing IS auditing components. processing. 23 © Copyright 2016 ISACA. 1. compliance with IS audit standards to ensure that key risk areas are audited.5 Conduct audit follow-ups to determine whether appropriate actions have been taken by management in Execute a risk-based IS audit strategy in a timely manner.1 1. All rights reserved. © 2016. Standard A mandatory requirement. All rights reserved. code of practice or specification approved by a recognized external standards organization. ISACA. All rights reserved. All rights reserved.4 Communicate audit results and make recommendations to key stakeholders through meetings and audit reports to promote change when necessary. 21 © Copyright 2016 ISACA. Information systems are distinct from techniques IS auditor might follow in an audit engagement. 6 . work but do not set requirements. storing. something that is less prescriptive than a procedure. All Rights Reserved. 24 © Copyright 2016 ISACA. he/she will be asked to collection. All Rights Reserved. K1. including follow-up planning through audit follow-up activities K1. evidence contracts with business partners) and audits (e.10 Knowledge of audit quality assurance Through the understand of quality assurance systems and frameworks systems and frameworks.5 Knowledge of risk-based audit The IS auditor must use well-developed Techniques. techniques. protects evidence. follow-up profiles. accounts receivable) auditor truly understand the scope. the IS auditor can: Integrate the validated quality assurance system (QAS) work product into the IS audit. and preservation and frequency of regulatory requirements must be part of the IS and methods for assessing and placing lead and/or participate in a variety of IS audits audit process. collects and control entities surveys and reviews. and Tools and K1.g.1 Knowledge of ISACA IS Audit and In order to meet both the goals and K1. All rights reserved. 26 © Copyright 2016 ISACA. All rights reserved. reporting and follow-up. payroll. 27 © Copyright 2016 ISACA. 7 .6 Knowledge of applicable laws and On all IS audit engagements. Professional Ethics and other applicable the IS auditor must know and understand and the role of IS in these processes purpose and focus for each IS audit standards the core ISACA IS Audit and Assurance engagement. ISACA. © 2016. purchasing. All rights reserved. legal (to include K 1.2 Knowledge of risk assessment All IS auditors must be able to accurately to reasonably assure the timely and concepts. Standards. reporting and techniques to ensure the IS audit is engagements.3 Knowledge of fundamental business Only through a clear understanding of the Assurance Standards. and objective of an IS audit and the integrity of processes (e. external. Guidelines.1 relate to each of the following knowledge statements? knowledge statements? Knowledge Statement Connection Knowledge Statement Connection K1.1 relate to each of the following How does Task 1.11 Knowledge of various types of regulations that affect the scope. Incorporate auditee QAS tools within the recommendations to address monitoring deficiencies. accounts payable. Guidelines. and Code of Professional planning and audit project management project management techniques from Ethics. financial) professional career. and also how the audit obtains. examination.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Task to Knowledge Statements How does Task 1. 25 © Copyright 2016 ISACA.. How does Task 1.g. and tools and techniques in and efficiently use risk assessment effective completion of IS audit planning. internal. 28 © Copyright 2016 ISACA..1 relate to each of the following knowledge statements? knowledge statements? Knowledge Statement Connection Knowledge Statement Connection K1. All rights reserved. Code of the work product that supports the IS audit. These requirements affect how often and how many IS audits are performed reliance on the work of other auditors or and associated audits. underlying business processes can the IS Tools and Techniques. investigations.1 relate to each of the following How does Task 1. All rights reserved. while maintaining high standards of conduct and character. Maintain competency in their respective fields. All Rights Reserved. regulations. due diligence and 5. Perform their duties with objectivity. in accordance with professional agree to undertake only those activities they can standards. and confidentiality. ISACA. All rights reserved. Maintain the privacy and confidentiality of information compliance with. Ethics in a given situation. and encourage 4. 30 © Copyright 2016 ISACA. 2. knowledge and competence. and professional care. All rights reserved. laws. Support the implementation of. contracts and/or industry This is achieved through continuing education. guideline or ISACA Code of Professional effectiveness targets are being met. but they must be able to apply the o IS operations are being accomplished efficiently. Tools and Techniques. security and risk management. Code of Professional Ethics 1. information shall not be used for personal benefit or including audit. Guidelines. guidelines. © 2016. integrity and availability. and not discrediting their profession or the Association. and standard. 29 © Copyright 2016 ISACA. reasonably expect to complete with the necessary 3. All rights reserved. appropriate standards. control. Such enterprise information systems and technology. interview and/or ISACA IS Audit and Assurance Standards require that testing of information systems to determine whether: the IS auditor be technically competent (1006 o Information systems are in compliance with applicable Proficiency). released to inappropriate parties.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems IS Audit Function IS Auditor Skills IS auditing is the formal examination. skills. Serve in the interest of stakeholders in a lawful manner. 8 . 32 © Copyright 2016 ISACA. CISA candidates do NOT need to memorize the ISACA o IS data and information have appropriate levels of IS Audit and Assurance Standards. procedures for obtained in the course of their activities unless the effective governance and management of disclosure is required by legal authority. 31 © Copyright 2016 ISACA. General Apply to the conduct of all assignments. Reporting Address the types of reports. All rights reserved. Failure to comply with these standards may result in an investigation into the CISA by the ISACA Board of Directors or These standards inform: appropriate ISACA group and. may distort Category Description the reporting of the results. ultimately. and deal with ethics.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Standards and Guidelines 6. © 2016. control. All Rights Reserved. supervision and assignment management. All rights reserved. including the disclosure of all significant facts known to them that. All rights reserved. if not disclosed. 9 . (Guiding independence. security and risk mobilization. Standards Standards contain statements of mandatory requirements. risk and materiality. competency and skill enhancing their understanding of the governance and Performance Deal with the conduct of the assignment. resource technology. including audit. 34 © Copyright 2016 ISACA. 36 © Copyright 2016 ISACA. objectivity and due care as well as 7. such as planning management of enterprise information systems and and supervision. in disciplinary action. scoping. Inform appropriate parties of the results of work There are three categories of standards and guidelines: performed. means of communication and the information communicated 33 © Copyright 2016 ISACA. audit and assurance evidence management. Support the professional education of stakeholders in principles) knowledge. ISACA. All rights reserved. o IS audit and assurance professionals of the minimum General Performance Reporting level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code 1001 Audit Charter 1201 Engagement Planning 1401 Reporting of Professional Ethics 1002 Organizational Independence 1202 Risk Assessment in Planning 1402 Follow-up Activities 1003 Professional Independence 1203 Performance and Supervision o Management and other interested parties of the 1004 Reasonable Expectation 1204 Materiality concerning the work of 1005 Due Professional Care 1205 Evidence practitioners 1006 Proficiency 1206 Using the Work of Other Experts o Holders of the CISA designation of their requirements 1007 Assertions 1207 Irregularity and Illegal Acts 1008 Criteria 35 © Copyright 2016 ISACA. All rights reserved. conduct and reporting of IS auditing and assurance Tools and techniques documents include: assignments. 2006 Proficiency 2206 Using the Work of Other Experts 2007 Assertions 2207 Irregularity and Illegal Acts o Use professional judgment in applying the guidelines 2008 Criteria 2208 Sampling to specific audits. 10 . auditing work but do not set requirements. All Rights Reserved. o White papers o Audit/Assurance programs o COBIT 5 family of products o Technical and Risk Management Reference series o ISACA Journal IT Audit Basics 39 © Copyright 2016 ISACA. ISACA. o Be able to justify any departure from the ISACA IS Audit and Assurance Standards. All rights reserved. All rights reserved. All rights reserved. 2003 Professional Independence 2203 Performance and Supervision The IS auditor and assurance professional should: 2004 Reasonable Expectation 2204 Materiality 2005 Due Professional Care 2205 Evidence o Consider these guidelines in determining how to implement the standards. 40 © Copyright 2016 ISACA. 37 © Copyright 2016 ISACA. 38 © Copyright 2016 ISACA. on how to meet the standards when performing IS defines terms and provides guidance on the planning.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Guidelines The objective of the ISACA IS Audit and Assurance General Performance Reporting Guidelines is to provide guidance and additional 2001 Audit Charter 2201 Engagement Planning 2401 Reporting information on how to comply with the ISACA IS Audit 2002 Organizational Independence 2202 Risk Assessment in Planning 2402 Follow-up Activities and Assurance Standards. Tools and Techniques The tools and techniques documents provide information ITAFTM is a reference model that establishes standards. © 2016. Laws and Examples include: IS auditor must: o US Health Insurance Portability and Accountability Act o Identify those government or other relevant external (HIPAA) requirements dealing with: o US Sarbanes-Oxley Act of 2002 Electronic data. 42 © Copyright 2016 ISACA. programs and data are stored The organization or the activities of information technology services IS audits 43 © Copyright 2016 ISACA. All rights reserved. Must be followed Provide examples by the IS auditor of steps an Provide auditor may follow There are two areas of concern that impact the audit assistance on how the auditor to implement scope and objectives: standards can implement o Legal requirements placed on the audit standards Tools & Standards o Legal requirements placed on the auditee and its Techniques systems. All rights reserved. personal data. © 2016. operational and IS Guidelines audit functions. All Rights Reserved. o Protection of Personal Data Directives and Electronic Computer system practices and controls Commerce within the European Community The manner in which computers. data management. such as banks and internet service providers (ISPs). ISACA.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Relationship Laws and Regulations Certain industries. All rights reserved. are closely regulated. reporting. There may be cases where the legal/regulatory requirements are more stringent than the ISACA IS Audit and Assurance Standards. These legal regulations may pertain to financial. etc. All rights reserved. 44 © Copyright 2016 ISACA. e-signatures. 41 © Copyright 2016 ISACA. etc. 11 . o Basel Accords e-commerce. copyrights. All rights reserved. 12 . replacement More effective and improved CSA empowers workers to assess or even design the internal controls Regarded as an additional control environment. All Rights Reserved. workshops. controls made by the staff and management to assure stakeholders. CSA Objectives CSA Pros and Cons The primary objective is to leverage the internal audit Advantages Disadvantages function by shifting some of the control monitoring Early detection of risk Mistaken as an audit function responsibilities to the functional areas. o Review internal IT department/function/activity documents Tools include: that address adherence to laws applicable to the industry. 45 © Copyright 2016 ISACA. All rights reserved. 46 © Copyright 2016 ISACA. © 2016. o Client workshops o Determine if there are procedures in place to ensure o Worksheets contracts or agreements with external IT services providers o Rating sheets reflect any legal requirements related to responsibilities. policies. All rights reserved. as well as business It can consist of simple questionnaires to facilitated application features. internal controls.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Laws and CSA Also. o Management meetings o Determine adherence to procedures that address these requirements. an IS auditor would perform these additional steps to compliance: Control self-assessment (CSA) is an assessment of o Document applicable laws and regulations. standards and procedures. Creation of cohesive teams workload through employee Failure to act on improvement involvement suggestions could damage in assessing their environment by providing insight about Developing sense of employee morale ownership Lack of motivation may limit the objectives of controls based on the risk assessment. ISACA. effectiveness in the detection Increased employee awareness of weak controls Increased communication Improved audit rating process Reduction in control cost Assurance provided to stakeholders and customers 47 © Copyright 2016 ISACA. 48 © Copyright 2016 ISACA. All rights reserved. customers and other parties of the o Assess whether management and the IT function have considered the relevant external requirements in their plans. 51 © Copyright 2016 ISACA. verify the software is in use through testing. Assuming has reasons to believe that the organization is using that the situation is communicated in the audit report. report. organization. C. Test the adequacy of the control design. D. those areas most Auditors and other specialists Staff at all levels. All rights reserved. Rely on management testing of controls. ISACA. All rights reserved. CSA In the Big Picture Each task in the five domains contributes to the big picture of IS Traditional CSA audit and control. Can you think of others? Assigns duties/supervises staff Empowered/accountable employees Policy/rule-driven Continuous improvement/learning The Big curve Limited employee participation Extensive employee participation and Task 1. 52 © Copyright 2016 ISACA. Test the operational effectiveness of controls. The following shows one such connection.12 49 © Copyright 2016 ISACA. include the statement from management in the audit B. C. Discussion Question Discussion Question Due to resource constraints of the IS audit team. discuss the issue with senior management because it could have a negative impact on the organization. B. 13 . CISA Review Manual 26th Edition. All Rights Reserved. in all functions. include the item in the audit report. are important to the the primary control analysts. Source: ISACA. © 2016. All rights reserved. In this situation. figure 1. A. All rights reserved. Focus on auditing high-risk areas.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Traditional vs. the IS auditor course of action is MOST acceptable? should FIRST: A. 50 © Copyright 2016 ISACA.1 Picture training Through a focused Execute a risk-based IS audit strategy in compliance with IS audit standards risk-based approach. the Narrow stakeholder focus Broad stakeholder focus to ensure that key risk areas are IS auditor will focus on audited. which software that is not licensed. an IS auditor plan as originally approved cannot be completed. the audit Although management has stated otherwise. D. type of controlled and provide value to the report and its intended audience. 56 © Copyright 2016 ISACA. 14 . ISACA. and other general aspects of the work organization. schedule dates. includes the areas to be audited. the type of work planned. All rights reserved.2 Key Terms Key Term Definition Audit plan A plan containing the nature. Code of Professional organization charter will charge the IS Ethics and other applicable standards auditor to always consider the protection of IS systems and the value derived from the systems within all IS audit engagements.2 Knowledge of risk assessment In order to ensure the IS audit focuses on concepts. Tools guidelines for planning. Task to Knowledge Statements Key Term Definition How does Task 1. Audit risk The probability that information or financial reports may contain material errors and that the auditor may not detect an error that has occurred 53 © Copyright 2016 ISACA. and tools and techniques in the most important IS security. examination. All rights reserved.2 relate to each of the following Audit universe An inventory of audit areas that is compiled and knowledge statements? maintained to identify areas for audit during the audit planning process Knowledge Statement Connection Reasonable A level of comfort short of a guarantee but considered K1. 55 © Copyright 2016 ISACA. planning. objectives and scope of the work and topics such as budget. Guidelines.1 Knowledge of ISACA IS Audit and By following ISACA standards and assurance adequate given the costs of the control and the likely Assurance Standards.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Task 1. © 2016. All rights reserved. resource allocation. reporting and functions and capabilities being reviewed. K1. timing and extent of audit procedures to be performed by engagement team members in order to obtain sufficient appropriate audit Plan specific audits to determine whether evidence to form an opinion. All Rights Reserved. follow-up the IS auditor must be able to effectively and efficiently assess the risk to these objectives. the high-level information systems are protected. the IS audit benefits achieved and Techniques. 54 © Copyright 2016 ISACA. operations. All rights reserved. 3 Knowledge of fundamental business Only through a thorough understanding of K1. regulations that affect the scope. the IS auditor and the role of IS in these processes audit engagement. All rights reserved..6 Knowledge of applicable laws and Specific laws and regulations will require systems themselves. 15 . purchasing. can properly focus time and resources K1. that are rated annual audit plan. 58 © Copyright 2016 ISACA.2 relate to each of the following knowledge statements? knowledge statements? Knowledge Statement Connection Knowledge Statement Connection K1.g. All rights reserved. entities approach to ensure the protection of the data. All rights reserved. Audit Planning How does Task 1. he/she will need to select the correct IS audit o Define the overall risk of each process. accounts receivable) IS can the IS auditor properly plan the IS techniques. All rights reserved. K1. internal. payroll. Knowledge Statement Connection To plan an audit. ISACA.g. information and IS supporting the o Construct an audit plan to include all of the processes processes under audit.4 Knowledge of control principles The controls that should be in place and needed to assess IS processes required to related to controls in information systems the scope of the IS audit are based on the protect and deliver value to the inherent risk associated with the business organization..CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems How does Task 1.5 Knowledge of risk-based audit Using risk assessments performed by the processes (e. 60 © Copyright 2016 ISACA. the following tasks must be completed: K1. and preservation and frequency information protections (controls) that must of audits be assessed by the IS auditor. external. These evaluations delivery. aligned with system protection and value o Evaluate each process by performing a qualitative or quantitative risk assessment. including follow-up management techniques. data and collection. evidence specific system. methods for assessing and placing reliance on the work of other auditors or control auditor has been assigned to audit. financial) and business processes and IS systems the IS should be based on objective criteria.11 Knowledge of various types of audits Based on the type and complexity of the (e. 59 © Copyright 2016 ISACA.2 relate to each of the following How does Task 1.2 relate to each of the following The first step in performing an IS audit is adequate knowledge statements? planning. process.10 Knowledge of audit quality Using the correct quality assurance o List all the processes that may be considered for the assurance systems and frameworks construct will assist the IS auditor in ensuring the scope and purpose are audit. the business processes supported by the planning and audit project management organization along with project accounts payable. processes supported by IS and the IS K1. 57 © Copyright 2016 ISACA. All Rights Reserved. © 2016. 62 © Copyright 2016 ISACA. o Set the audit scope and audit objectives. o Address engagement logistics. o Develop the audit approach or audit strategy. 64 © Copyright 2016 ISACA. ISACA. 16 . All rights reserved. o Review prior work papers. o Enhanced evaluation techniques 61 © Copyright 2016 ISACA. individual audits may be conducted o Short-term planning involves all audit issues that will based on the following: be covered during the year. procedures and organization structure. the IS auditor must have an Also. o Gain an understanding of the mission. purpose and processes. objectives. All rights reserved. o New control issues o Long-term planning takes into account all risk-related o Changes in risk environment. standards and required guidelines. All rights reserved. 63 © Copyright 2016 ISACA.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems When To Audit Audit planning includes short-term and long-term In addition to a yearly analysis of short-term and planning. o Perform a risk analysis to help in designing the audit To accomplish this task. All Rights Reserved. All rights reserved. such as policies. technologies and business processes strategic direction. the IS auditor should: understanding of the overall environment under review. to plan for an audit. long-term issues. o Identify stated contents. auditee. © 2016. the IS auditor should: plan. Audit Planning Steps In order to plan an audit. o Understand changes in business environment of the o Assign personnel resources to the audit. All rights reserved. o Understand the relationship between risk and control. o Understand that risk exists as part of the audit process. 65 © Copyright 2016 ISACA. integrity and availability of in order to determine the controls needed to mitigate sensitive and critical information. 68 © Copyright 2016 ISACA. 67 © Copyright 2016 ISACA. ISACA. including industry o Identifying specific regulations applicable to IT publications. with the tasks defined in the o Reviewing business and IT long-term strategic plans audit plan. 17 .CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Additional Considerations The audit plan should take into consideration the Other ways the IS auditor can gain this information objectives of the IS audit relevant to the audit area and include: its technology infrastructure and business strategic o Interviewing key managers to understand business direction. those risks. All rights reserved. the IS auditor must perform or IS auditors are often focused on high-risk issues review a risk analysis to identify risks and vulnerabilities associated with confidentiality. The IS auditor can gain this information by: issues o Reading background material. All Rights Reserved. All rights reserved. or specific reviews such as regulatory reviews) The IS auditor must also match available audit resources. o Evaluate risk assessment and management techniques used by the organization. All rights reserved. o Identify and differentiate risk types and the controls used to mitigate the risk. such as staff. © 2016. annual reports and independent financial o Identifying IT functions or related activities that have analysis reports been outsourced o Reviewing prior audit reports or IT-related reports o Touring key organization facilities (from external or internal audits. 66 © Copyright 2016 ISACA. Risk Analysis During audit planning. NIST the business plans Special Publication 800-30. figure 1.3 69 © Copyright 2016 ISACA. Department of Commerce. All Rights Reserved. ISACA. Revision 1: Information Security. quantify and o Ensures that relevant Conduct Assessment prioritize risk against criteria for risk acceptance and information has been Identify Threat Sources and Events obtained from all levels of objectives relevant to the organization. CISA Review Manual 26th Edition.S. U. USA. 18 . © 2016. All rights reserved. providing the risk clearly risk acceptance Risk avoidance Avoiding risk by not allowing actions that would cause the risk to occur Risk transfer/sharing Transferring the associated risk to other parties Source: ISACA.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Risk Management Process Risk Response Risk Response Options Risk mitigation Applying appropriate controls to reduce the risk Risk acceptance Knowingly and objectively not taking action. and it helps in the evaluation of controls. Risk Assessment Risk Assessment Process Using risk assessment to A risk assessment assists the IS auditor in determine areas to be audited: identifying risk and threats to an IT environment and o Enables management to IS system. All rights reserved. 70 © Copyright 2016 ISACA. Not copyrightable in the United States. such as: Determine Magnitude of Impact audit department o Technical complexity o Provides a summary of how Determine Risk the individual audit subject o Level of control procedures in place is related to the overall organization as well as to o Level of financial loss Source: National Institute of Standards and Technology (NIST). 2012. effectively allocate limited audit resources Prepare for Assessment Risk assessments should identify. 72 © Copyright 2016 ISACA. All rights reserved. 71 © Copyright 2016 ISACA. Reprinted courtesy of the National Institute of Standards and Technology. All rights reserved. management Identify Vulnerabilities and Predisposing Conditions Communicate Maintain Results Assessment It supports risk-based audit decision making by o Establishes a basis for Determine Likelihood of Occurrence effectively managing the considering variables. They provide Attempt to predict potential problems before they occur and make reasonable assurance that the business objectives will adjustments. Correct errors arising from a problem. All rights reserved. Source: ISACA. Corrective Minimize the impact of a threat. omission or malicious act from occurring.8 73 © Copyright 2016 ISACA. © 2016. omission or malicious act. All rights reserved. practices and organizational structures that Knowledge of business and industry Regulatory statutes Inherent risk assessments Recent financial information are implemented to reduce risk to the organization. Use well-designed documents (prevent errors). All rights reserved. 76 © Copyright 2016 ISACA. Control Classification IS Control Objectives Class Function IS control objectives are statements of the desired result Preventive Detect problems before they arise. Remedy problems discovered by detective controls. Perform Compliance Tests Perform tests on reliability. achieved by implementing controls. Prevent an error. figure 1. figure 1. Modify the processing system(s) to minimize future occurrences of the problem. Write audit report. Identify the cause of a problem. Perform Substantive Tests Analytical procedures Other substantive audit procedures Detailed tests of account balances Conclude the Audit Create recommendations.5 75 © Copyright 2016 ISACA. be achieved and undesired events will be prevented. Monitor both operation and inputs. All Rights Reserved. Detective Use controls that detect and report the occurrence of an error. Obtain Understanding of Internal Control Control environment Control risk assessment Internal controls should address: Control procedures Equate total risk Detection risk assessment o What should be achieved? Identify key controls to be tested. Segregate duties (deterrent factor). All rights reserved.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Risk-based Auditing Internal Controls Gather Information and Plan Internal controls are normally composed of policies. CISA Review Manual 26th Edition. Source: ISACA. CISA Review Manual 26th Edition. procedures. detected or corrected. 19 . 74 © Copyright 2016 ISACA. risk o What should be avoided? prevention and adherence to organization policies and procedures. Control access to physical facilities. ISACA. All rights reserved. 80 © Copyright 2016 ISACA. All rights reserved. in place and operating effectively Operational controls that concern day-to-day operations. The IS auditor should understand IS o Operations procedures controls and how to apply them in planning an audit. ISACA. IS Specific Controls Each general control can be translated into an Additional IS control procedures include: IS-specific control. o Systems programming and technical support IS control procedures include: functions o Strategy and direction of the IT function o Quality assurance (QA) procedures o General organization and management of the IT o Physical access controls function o Business continuity planning (BCP)/disaster recovery o Access to IT resources. 78 © Copyright 2016 ISACA. © 2016. 20 . o Integrity of general operating system (OS) functions and activities environments Administrative controls that concern operational efficiency in a functional area and adherence to management o Integrity of sensitive and critical application system policies environments Organizational security policies and procedures to ensure o Appropriate identification and authentication of users proper usage of assets o The efficiency and effectiveness of operations Overall policies for the design and use of adequate documents and records o Integrity and reliability of systems by implementing Access and use procedures and practices effective change management procedures Physical and logical security policies for all facilities 77 © Copyright 2016 ISACA. All rights reserved.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems General Controls IS control objectives may also include: General controls include: o Safeguarding assets Internal accounting controls that concern the safeguarding o System development life cycle (SDLC) processes are of assets and reliability of financial information established. including data and programs planning (DRP) o Systems development methodologies and change o Networks and communications control o Database administration o Protection and detective mechanisms against internal and external attacks 79 © Copyright 2016 ISACA. All rights reserved. All Rights Reserved. All rights reserved. All rights reserved. 82 © Copyright 2016 ISACA. or detected and corrected. information. This a single a holistic integrated approach framework kind of audit relates to financial information integrity and reliability.and control-based audit approach. All rights reserved. substantive 4. All rights reserved. and consume resources efficiently. It helps enterprises standards. internal controls that provide reasonable assurance that business. 2012. operational and control objectives will be met and that undesired events will be prevented. authorities. figure 2 81 © Copyright 2016 ISACA. IS audits of application controls or logical security systems. Examples include discovering. achieve organizational goals effectively. 83 © Copyright 2016 ISACA. efficiency and compliance. It often involves detailed. 21 .CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems COBIT 5 Types of Audits Type Description comprehensive framework for Compliance Compliance audits include specific tests of controls to governance and management of 1. maintain data and system integrity and availability. Enabling 3. It is performed to assess the overall objectives within adequately safeguard assets. Source: ISACA. in a timely manner. do they have. Examples include Payment Card Industry Data stakeholder needs create optimal value from IT by Security Standard (PCI DSS) audits for companies that maintaining a balance between 5. 84 © Copyright 2016 ISACA. Type Description Type Description Operational An operational audit is designed to evaluate the internal Forensic audits Forensic auditing has been defined as auditing specialized in audits control structure in a given process or area. Also. IS audits This process collects and evaluates evidence to determine Integrated An integrated audit combines financial and operational audit whether the information systems and related resources audits steps. Applying testing. The primary purpose of such a review is the development of Administrative These are oriented to assess issues related to the efficiency evidence for review by law enforcement and judicial audits of operational productivity within an organization. in effect. provide relevant and reliable safeguarding. COBIT 5 Principles Financial The purpose of a financial audit is to assess the accuracy of audits financial reporting. disclosing and following up on fraud and crimes. although increasingly. auditors are placing more emphasis on a risk. All Rights Reserved. Meeting audits demonstrate adherence to specific regulatory or industry enterprise IT. risk levels and resource use. USA. © 2016. Separating 2. Covering process credit card data and Health Insurance Portability and Accountability Act (HIPAA) audits for companies that handle governance the realizing benefits and optimizing from enterprise management end-to-end health care data. COBIT 5. ISACA. All rights reserved. such as o Query tools fraud. o Transaction logging It results in better monitoring of financial issues. CISA Review Manual 26th Edition. o Database management systems (DBMS) Continuous auditing should be independent of continuous controls and continuous monitoring. All rights reserved. 22 . It involves a team o Identification of risk faced by the organization for the area of auditors with different being audited skill sets working together o Identification of relevant key to provide a Operational Financial controls Operational Financial Audit Audit Audit Audit comprehensive report. the collection of evidence and applications and may include IT techniques such as: the audit reporting. © 2016.13 85 © Copyright 2016 ISACA. Source: ISACA. o Intelligent agents 87 © Copyright 2016 ISACA. All rights reserved. o Review and understanding of the design of key controls o Testing that key controls are supported by the IT system IS Audit IS Audit o Testing that management controls operate effectively o A combined report or opinion on control risk. CISA Review Manual 26th Edition. Continuous Auditing Continuous auditing is characterized by the short time This process must be carefully built into the business lapse between the audit. ensuring that real-time transactions benefit from o Statistics and data analysis (CAAT) real-time monitoring. All Rights Reserved. ISACA.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Integrated Audit An integrated audit focuses The process typically involves: on risk.13 figure 1. figure 1. 88 © Copyright 2016 ISACA. 86 © Copyright 2016 ISACA. All rights reserved. design and weaknesses Source: ISACA. procedures Procedures for Identify methods (including tools) to perform the evaluation. o Implementation of highly automated audit tools that require audit objectives and audit programs. and steps for Identify a list of individuals to interview. Audit Phases Audit Phase Description Audit Phase Description Audit subject Identify the area to be audited. objectives. All rights reserved. when. such control. 23 . figure 1. Source: ISACA. 92 © Copyright 2016 ISACA. was accurate (and repeatable. An audit program should be developed to serve as a o Quick and timely issuance of automated audit reports. standards and organization to be included in the review. procedures designed to achieve planned audit o Alarm triggers to report timely control failures. © 2016. if applicable).CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Continuous Audit Methodology For continuous auditing to succeed. CISA Review Manual 26th Edition. standards. ISACA. Audit scope Identify the specific systems. All rights reserved. evaluating the Identify criteria for evaluating the test (similar to a test Identify locations or facilities to be audited.7 Source: ISACA. policies. and prior audit work papers. CISA Review Manual 26th Edition. particularly when the process has to all audit staff. Each audit department should design and approve an o The ability to quickly inform IS auditors of the results of audit methodology that is formalized and communicated automated procedures. engagement that describes who to communicate to. All Rights Reserved. Develop audit tools and methodology to test and verify planning Identify the sources of information for test or review. Its components are a statement of scope. steps. 89 © Copyright 2016 ISACA. test or review script for the IS auditor to use in conducting the Develop a communication plan at the beginning of each results evaluation). o Adherence to materiality guidelines. the IS auditor to be involved in setting up the parameters. guide for performing and documenting all of the audit o Technically proficient IS auditors. All rights reserved. Identify means and resources to confirm the evaluation how often and for what purpose(s). Audit Identify and select the audit approach to verify and test the Audit objective Identify the purpose of the audit. procedures controls. as functional flow charts. it needs to have: An audit methodology is a set of documented audit o A high degree of automation. 90 © Copyright 2016 ISACA. function or unit of the data gathering Identify and obtain departmental policies. Preaudit Identify technical skills and resources needed. All rights reserved. reviewed. figure 1. identified anomalies or errors.7 91 © Copyright 2016 ISACA. guidelines for review. and the extent and types of evidential matter o Availability of reliable sources of evidence. CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems In the Big Picture Audit Phase Description Procedures for Determine frequency of communication.7 93 © Copyright 2016 ISACA. higher confidence coefficient. All rights reserved. Which of the testing the existence of program change approvals. 95 © Copyright 2016 ISACA. Source: ISACA. All rights reserved.2 Picture preparation Disclose procedures to evaluate/test operational efficiency Plan specific audits to determine The IS auditor will always and effectiveness. C. All rights reserved. the organization. Discussion Question Discussion Question The internal IS audit team is auditing controls over sales An IS auditor is determining the appropriate sample size for returns and is concerned about fraud. 24 . resulting in a larger sample size. All Rights Reserved. controlled and provide value critical data. The Big with management Audit report Disclose follow-up review procedures. information Review and evaluate the soundness of documents. lower confidence coefficient. All rights reserved. resulting in a smaller B. protected. 96 © Copyright 2016 ISACA. whether information systems are focus on the protection of Disclose procedures to test controls. higher confidence coefficient. Classical variable sample size. communication Prepare documentation for final report. figure 1. and management has auditors? confirmed that no exceptions have been reported for the review period. resulting in a smaller D. CISA Review Manual 26th Edition. ISACA. C. 94 © Copyright 2016 ISACA. Task 1. Previous following sampling methods would BEST assist the IS audits did not indicate any exceptions. resulting in a larger sample size. In this context. © 2016. Probability-proportional-to-size sample size. and IS components that are of greatest value to and procedures. Discovery B. the IS auditor can adopt a: A. D. Stop-or-go A. lower confidence coefficient. policies to the organization. All rights reserved. Task to Knowledge Statements Key Term Definition How does Task 1. reporting and data.1 Knowledge of ISACA IS Audit and Only through following the ISACA Materiality An auditing concept regarding the importance of an item Assurance Standards. Audit objective The specific goal(s) of an audit. 98 © Copyright 2016 ISACA. Computer-assisted Any automated audit technique. examination. Tools established and industry accepted IS audit of information with regard to its impact or effect on the and Techniques. K1.3 relate to each of the following Evidence The information an IS auditor gathers in the course of knowledge statements? performing an IS audit. These often center on substantiating the existence of internal controls to minimize business risk. acceptance by all interested stakeholders. Guidelines. 99 © Copyright 2016 ISACA. audit technique (CAAT) audit software (GAS). © 2016. such as generalized objectives. All rights reserved. Code of Professional and assurance standards and guidelines functioning of the entity being audited. 25 .2 Knowledge of risk assessment The IS auditor must focus on the risks to concepts. K1. and tools and techniques in planning. test data generators. All rights reserved.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Task 1. ISACA. information and critical system follow-up components to reasonably ensure the IS audit will achieve its stated purpose. 100 © Copyright 2016 ISACA.3 Key Terms Key Term Definition Audit evidence The information used to support the audit opinion. All rights reserved. an expression of Ethics and other applicable standards will the IS auditor be able to reasonably the relative significance or importance of a particular ensure both work product integrity and matter in the context of the organization as a whole. relevant if it pertains to the audit objectives and has a logical relationship to the findings Knowledge Statement Connection and conclusions it is used to support. computerized audit programs and specialized audit utilities. All Rights Reserved. Conduct audits in accordance with IS Audit program A step-by-step set of audit procedures and instructions audit standards to achieve planned audit that should be performed to complete an audit. 97 © Copyright 2016 ISACA. 3 Knowledge of fundamental business of the K1.g.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems How does Task 1. most efficient and effective manner while audit report structure. Through the management summary. you will meet the primary objectives and the role of IS in these processes audit will achieve the intended IS audit for the engagement.5 Knowledge of risk-based audit Knowing your key risks will enable you to processes (e. K1. including follow-up hence. inquiry. computer-assisted audit techniques always protecting its integrity.. negotiation.3 relate to each of the following How does Task 1. the evidence must be obtained.3 relate to each of the following knowledge statements? knowledge statements? Knowledge Statement Connection Knowledge Statement Connection K1. 104 © Copyright 2016 ISACA. the IS K1. from the planning through follow-up stages forensic investigation techniques. supporting the processes along with data and information.. objectives. the IS auditor must ensure sampling techniques are used that enable the analysis to be representative of the overall transactional population (both IS system and business operations). How does Task 1. clear and effective lines of communication inspection. 101 © Copyright 2016 ISACA. evidence and regulatory compliance aspects. result verification) [CAATs]) used to gather. All rights reserved.10 Knowledge of audit quality There may be guidelines and additional preserve audit evidence audit can realize these requirements. ISACA.4 Knowledge of control principles The IS auditor will need to address the key regulations that affect the scope.g. communication techniques (e. accounts payable. All rights reserved. 102 © Copyright 2016 ISACA.7 Knowledge of evidence collection In order to meet the stated business K1. assurance systems and frameworks audit procedures that an IS auditor may K1. objectives. analytical procedures engagement. issue writing.9 Knowledge of reporting and The IS auditor must establish and maintain techniques (e. 26 .8 Knowledge of different sampling Beyond the sheer volume of data and data wish to add in order to develop an opinion methodologies and other substantive/data sources an IS auditor is facing on each on the proper functioning of controls. data analysis. purchasing.3 relate to each of the following How does Task 1. 103 © Copyright 2016 ISACA. protect and use of IS audit tools and techniques. business process being supported by the planning and audit project management focus on the key objectives for the IS audit. All rights reserved. collected. and preservation and frequency These should always be a consideration in risks to business processes and the IS of audits the IS audit engagement objectives. related to controls in information systems controls required to address the critical collection.3 relate to each of the following knowledge statements? knowledge statements? Knowledge Statement Connection Knowledge Statement Connection K1.6 Knowledge of applicable laws and Almost all IS audits will involve both legal K1. analyzed and evaluated in the facilitation. interview. conflict resolution. All rights reserved. All Rights Reserved.. observation. payroll.g. accounts receivable) IS provides reasonable assurance the IS techniques. © 2016. of all IS audit engagements. 105 © Copyright 2016 ISACA. All rights reserved. optimizing resource use. All rights reserved. Internal Audit External Audit Plan the audit considering project-specific risk. Chart the necessary audit tasks across a time line. efficiently Form audit conclusions and opinions. financial) and upcoming audits may provide Identify the audit criteria. organization and is not specific formal contract or statement of to a particular IS audit.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems IS Audit Steps How does Task 1. assignment. methods for assessing and placing reliance adequate depth and coverage of areas on the work of other auditors or control entities could enable the IS auditor to place Perform audit procedures. authority and responsibility of Execute the plan. ISACA. 108 © Copyright 2016 ISACA.. All rights reserved. external. Knowledge Statement Connection K1. Report to management after discussion with key process owners. work. All Rights Reserved. governance that defines the purpose. The scope and objectives of the The scope and objectives of the audit function within the audit are documented in a Build the audit plan. the internal audit activity. © 2016.g.11 Knowledge of various types of audits Recognizing that many recent. IS auditors report their actual progress against planned audit steps to ensure challenges are managed proactively and the scope is completed within time and budget. 107 © Copyright 2016 ISACA. practice and testing needed to provide reasonable assurance that the IS controls are operating effectively. 106 © Copyright 2016 ISACA. the standards of professional Review and evaluate evidence. All rights reserved. and are aligned with both current and planned organizational goals and objectives.3 relate to each of the following Define the audit scope. External Audits Plan the audit engagement. current and (e. An engagement letter is a formal document which defines an IS Monitor project activity. It must be approved by the highest level of management or the audit committee. It does not replace an audit charter. IS Audit Project Management Internal vs. Make realistic estimates of the time requirements for each task with proper consideration given to the availability of the The audit charter is a document approved by those charged with auditee. knowledge statements? Formulate the audit objectives. Execute audit tasks against the plan. internal. 27 . All Rights Reserved. 28 . 110 © Copyright 2016 ISACA. process/entity to be audited without taking into Proper sampling procedures and strong quality control account the controls that management has processes can minimize detection risk. implemented o risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls o misstatements have occurred that will not be detected by the IS auditor o contain material errors 111 © Copyright 2016 ISACA. contain a material error that may go undetected during Audit objectives refer to the specific goals that must be the course of the audit. 109 © Copyright 2016 ISACA. © 2016. ISACA. Audit risk is influenced by: The IS auditor should have a good understanding of o Inherent risk the risk level or exposure of the audit risk when planning an audit. All rights reserved. 112 © Copyright 2016 ISACA.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Audit Objectives Audit Risk A key element in IS audit planning is translating basic Audit risk can be defined as the risk that information may audit objectives into specific IS audit objectives. All rights reserved. They are often focused on validating that internal controls exist and are effective at minimizing business risk. All rights reserved. accomplished by the audit. All rights reserved. designed to meet control objectives The use of audit logs/reports available in operation/application Compliance testing systems Substantive testing Documentation review Reporting Inquiry and observation Follow-up Walk-throughs Reperformance of controls 113 © Copyright 2016 ISACA. understanding of the audit software to survey the contents of area/subject data files (including system logs) Audit programs are based on the scope and objective of A risk assessment and general The use of specialized software to the particular assignment. All rights reserved. 115 © Copyright 2016 ISACA. 114 © Copyright 2016 ISACA. audit objectives and audit procedures Evaluating the audit area/subject documenting automated to obtain sufficient. auditors and the audit committee Substantive testing: regarding detection and disclosure of any fraud. relevant and reliable evidence to Verifying and evaluating the applications and business processes appropriateness of controls draw and support audit conclusions and opinions. All rights reserved. o Tests of control designed to obtain audit evidence on Legislation and regulations relating to corporate both the effectiveness of the controls and their governance cast significant responsibilities on operation during the audit period. whether o Obtaining audit evidence on the completeness. Preliminary review of the audit files area/subject Flow-charting techniques for It identifies scope. accuracy or existence of activities or transactions The IS auditor should be aware of potential legal during the audit period. All rights reserved. 116 © Copyright 2016 ISACA. All rights reserved. All Rights Reserved. ISACA.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Audit Programs Program Procedures An audit program is a step-by-step set of audit General Audit Procedures Procedures for Testing and Evaluating IS Controls procedures and instructions that should be performed to Obtaining and recording an The use of generalized audit complete an audit. Fraud Detection Testing Methods The presence of internal controls does not altogether Compliance testing: eliminate fraud. material or not. requirements concerning the implementation of specific fraud detection procedures and reporting ISACA IS Audit and Assurance Standard 1005 Due fraud to appropriate Professional Care authorities. management. 29 . © 2016. audit plan and schedule assess the contents of OS Detailed audit planning database and application parameter It is the audit strategy and plan. Some types of evidence are more reliable than others. © 2016. 119 © Copyright 2016 ISACA.9 117 © Copyright 2016 ISACA. which can provide adequate assurance that personnel have the required Conduct a Conduct reperformance. combine observations with interviews. Evidence is considered competent when it is both valid and relevant. 120 © Copyright 2016 ISACA. Reliability is determined by: o The independence of the evidence provider o The qualifications of the evidence provider o The objectivity of the evidence o The timing of the evidence The IS auditor must focus on the objectives of the audit and not on the nature of the evidence. the entity or data being audited follows 1205 Evidence the established criteria or objectives and supports audit conclusions. procedures. All rights reserved. technical skills. employee Note that personnel may change their behavior if they personnel. ISACA. All rights reserved. Actual Actual Security Reporting processes/ Observe functions awareness relationships Interview procedures Review IS processes and appropriate documentation. know they are being observed. 118 © Copyright 2016 ISACA. performances. 30 . structures. figure 1. Source: ISACA. All Rights Reserved. walkthroughs. Therefore. Evidence Gathering Techniques Interviews and Observations Observing personnel in the performance of their duties Review IS Review IS Review IS assists an IS auditor in identifying: organizational policies and standards. CISA Review Manual 26th Edition. All rights reserved. All rights reserved.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Testing Process Evidence This figure shows the relationship between compliance and Evidence is any information used by ISACA IS Audit and substantive testing and describes the two categories of the IS auditor to determine whether Assurance Standard substantive tests. incidence Discovery sampling o Non. if the and weights Difference estimation confidence coefficient is 95 percent. 122 © Copyright 2016 ISACA. For example. All rights reserved. Applied to attribute o Generally used in sampling only. the larger the sample size. Sampling Key Terms Variable sampling o Deals with population Variable Term Definition Confidence A percentage expression of the probability that the characteristics of the characteristics that vary. The greater the norm rate the expected error rate. ISACA. o Generally used in judgment to determine the sample size and selection compliance testing criteria. the level of risk is five percent. coefficient sample are a true representation of the population. © 2016. All rights reserved. Unstratified mean per unit Level of risk Equal to one minus the confidence coefficient. substantive testing 123 © Copyright 2016 ISACA. 124 © Copyright 2016 ISACA. 31 . it represents the acceptable range difference between the sample and the actual population. The greater the Stratified mean per unit such as monetary values confidence coefficient. the greater the sample size. o Deals with the presence Proportional There are two approaches to sampling: or absence of an attribute Attribute sampling o Statistical sampling uses an objective method to o Expressed in rates of Stop-or-go sampling determine the sample size and selection criteria. o Provides conclusions Precision Set by the IS auditor.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Sampling Sampling Methods Sampling is used when time and cost constrain the Attribute sampling ability to test all transactions or events. 121 © Copyright 2016 ISACA. All rights reserved. related to deviations from Expected error An estimate stated as a percent of the errors that may exist. All rights reserved. All Rights Reserved. o Test data o Application software tracing and mapping o Expert systems 127 © Copyright 2016 ISACA. 32 . USA. Determine Sample standard Computes the variance of the sample values from the mean of the Define the Determine the deviation sample. sample size. the larger the sample Evaluate the Select the Calculate the sample. © 2016. objectives. Fundamentals of IS Audit and Assurance Training Course. Sample standard deviation measures the spread or dispersion population. 2014 125 © Copyright 2016 ISACA. sample. It is used for the planned upper limit of the precision range for compliance testing. o Generalized audit software (GAS) They are particularly useful when auditing systems that o Utility software have different hardware and software environments. Source: ISACA. All rights reserved. The term is expressed as a percentage. the method. All rights reserved. 126 © Copyright 2016 ISACA. All rights reserved. such as: useful evidence that may only exist in electronic form. Population A mathematical concept that measures the relationship to the normal standard distribution. The sample mean measures the average value of the sample. The greater the standard deviation.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Sampling Steps Term Definition Sample mean The sum of all sample values divided by the size of the sample. deviation size. Applied to variable sampling formulas only. Tolerable error Describes the maximum misstatement or number of errors that can exist rate without an account being materially misstated. of the sample values. 128 © Copyright 2016 ISACA. o Debugging and scanning software data structures. ISACA. All Rights Reserved. CAATs CAATs help IS auditors collect sufficient. All rights reserved. record formats or processing functions. relevant and CAATs include many tools and techniques. CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems CAAT Considerations Evaluation of Controls Before the use of a CAAT. All rights reserved. proven industry-accepted methods and techniques to achieve the IS audit objectives. both for existing and future audit staff matrix to assess the strengths and weaknesses of the o Training requirements controls and determine if they are effective at meeting o Complexity of coding and maintenance the control objectives. © 2016. o Flexibility of uses o Installation requirements The IS auditor should always review for compensating o Processing efficiencies (especially with a PC CAAT) controls before reporting control weaknesses. Purpose. In the Big Picture Discussion Question Which of the following is the BEST factor for determining the required extent of data collection during the planning phase of an IS compliance audit? The Big A. the IS auditor can use a control o Ease of use. Picture B. All rights reserved. audit standards to achieve planned provide consistent and audit objectives. All rights reserved.3 ISACA IS Audit and Conduct audits in accordance with IS Assurance Standards C. 33 . o Effort required to bring the source data into the CAATs for analysis The IS auditor must keep the concept of materiality in o Ensuring the integrity of imported data by safeguarding their mind and judge what would be significant to different authenticity levels of management. 132 © Copyright 2016 ISACA. o Recording the time stamp of data downloaded at critical processing points to sustain the credibility of the review o Obtaining permission to install the software on the auditee servers o Reliability of the software o Confidentiality of the data being processed 129 © Copyright 2016 ISACA. 131 © Copyright 2016 ISACA. ISACA. consider: After gathering evidence. Findings and issues noted from the prior year Task 1. 130 © Copyright 2016 ISACA. All rights reserved. All Rights Reserved. objective and scope of the audit D. All rights reserved.4 relate to each of the following Audit report knowledge statements? management. All rights reserved. K1. Key Terms Task to Knowledge Statements Key Term Definition How does Task 1. examination. 136 © Copyright 2016 ISACA. An asset D.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Discussion Question Task 1. All Rights Reserved. A vulnerability Communicate audit results and make C. and Tools and Techniques. reporting and relevant and critical information throughout follow-up the IS audit engagement. An impact B. 135 © Copyright 2016 ISACA. 34 . All rights reserved. Guidelines. and tools and techniques in the IS auditor to communicate the most planning.4 Which of the following does a lack of adequate controls represent? A. an expectation from or some other interest in the enterprise. A threat recommendations to key stakeholders through meetings and audit reports to promote change when necessary. 133 © Copyright 2016 ISACA. and Assurance Standards. Guidelines. K1.1 Knowledge of ISACA IS Audit and Knowledge of the ISACA IS Audit and Assurance Standards. Code of Tools and Techniques enable the IS auditor Professional Ethics and other applicable to establish clear and effective standards communications to the key stakeholders. Knowledge Statement Connection Stakeholder Anyone who has a responsibility for. © 2016. ISACA. All rights reserved. 134 © Copyright 2016 ISACA.2 Knowledge of risk assessment Using a risk-based approach will enable concepts. 9 Knowledge of reporting and The IS auditor must be able to speak to all K1.3 Knowledge of fundamental business K1. 138 © Copyright 2016 ISACA. internal.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems How does Task 1. the accounts payable. verification) information related to the IS audit. negotiation.11 Knowledge of various types of audits Based on the type of audit approach used.g. business processes along with the regulations that affect the scope. financial) and the IS auditor as the subject matter expert communications of these results methods for assessing and placing reliance can deliver effective and change-provoking accordingly. audit report structure. © 2016. All Rights Reserved. the IS auditor can be a resolution. result each have their specific needs for to the organization. How does Task 1. All rights reserved.4 relate to each of the following How does Task 1. 35 . on the work of other auditors or control communications to stakeholders. ISACA. All rights reserved.4 relate to each of the following knowledge statements? knowledge statements? Knowledge Statement Connection Knowledge Statement Connection K1.. evidence requirements applicable to the IS audit. IS auditor must be able to tailor the (e.4 relate to each of the following knowledge statements? knowledge statements? Knowledge Statement Connection Knowledge Statement Connection K1. Lean Six facilitation. entities 139 © Copyright 2016 ISACA. etc. All rights reserved. IS auditor will provide relevant reporting as and the role of IS in these processes clear and effective communications to the and frequency of audits to compliance with these requirements and key stakeholders.. All rights reserved.). conflict results of the IS audit.. The line Sigma.g.g. and the K1. management summary. external. issue management through the board of directors facilitator of positive and effective change writing. 137 © Copyright 2016 ISACA.10 Knowledge of audit quality Through the use of quality assurance communication techniques (e.6 Knowledge of applicable laws and Based on specific legal and regulatory processes (e.4 relate to each of the following How does Task 1. accounts receivable) business specific terminology will enable collection and preservation. levels of the organization to explain the assurance systems and frameworks systems and frameworks (CSA. 140 © Copyright 2016 ISACA. enable stakeholders to take required actions to ensure compliance. purchasing. payroll. management. All Rights Reserved. management. describing not only o Audit findings. They are the limitations and scope. ISACA. negotiation with auditee management. the IS auditor should discuss the findings During the exit interview. processes examined during the audit.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Communication of Results The IS auditor communicates the audit results in an exit Before communicating results of the audit to senior interview with management. and if not. 141 © Copyright 2016 ISACA. All rights reserved. followed by a statement on the IS audit methodology and guidelines The report should be balanced. All rights reserved. The IS auditor can present the results of the audit in an executive summary or a visual presentation. © 2016. and the actual potential risk identified as a consequence of detected deficiencies o the audit o Detailed audit findings and recommendations o A variety of findings. and a general statement on the procedures conducted and end product of the IS audit work. Audit Report Audit Report Structure Audit reports present the The audit report format and structure is dependent on the ISACA IS Audit and Assurance Standard have the following structure and content: recommendations to 1401 Reporting o An introduction to the report. All rights reserved. IS auditors should feel free to communicate issues or o Ensure that the recommendations are realistic and concerns with senior management or the audit cost-effective. 142 © Copyright 2016 ISACA. the IS auditor should: with the key process owners to gain an agreement on o Ensure that the facts presented in the report are the findings and develop a course of corrective action. adequacy of controls and procedures. seek alternatives through committee. All rights reserved. o Recommend implementation dates for agreed upon recommendations. 144 © Copyright 2016 ISACA. often grouped in sections by materiality and/or negative issues in terms of findings but positive intended recipient constructive comments regarding improving processes o and controls or effective controls already in place. some of which may be quite material while others are minor in nature 143 © Copyright 2016 ISACA. including the audit objectives. correct. the period of audit coverage. 36 . a that support the audit findings and conclusions. contractual stipulations and professional standards. All rights reserved. o Description and/or walk-throughs on the scoped audit All audit documentation should be: area o Dated o Audit program o Initialed o Audit steps performed and audit evidence gathered o Page-numbered ISACA IS Audit and o Use of services of other auditors and experts Assurance Guideline 2203 o Self-contained Performance and Supervision o Audit findings. All rights reserved. All rights reserved. and easily retrievable. communications throughout all IS audit engagements.4 Picture The IS auditor must Communicate audit results and make provide stakeholders recommendations to key stakeholders clear. 37 . 146 © Copyright 2016 ISACA. ISACA. at a minimum. 148 © Copyright 2016 ISACA. In the Big Picture Documentation must include all information required by laws and regulations. record of the following: It should be clear. conclusions and recommendations o Properly labeled o Audit documentation relation with document o Kept in custody identification and dates 145 © Copyright 2016 ISACA. © 2016. The Big Task 1. complete. 147 © Copyright 2016 ISACA. concise and easily through meetings and audit reports to understood promote change when necessary. o Planning and preparation of the audit scope and It is the property of the auditing entity and should only be objectives accessible to authorized personnel. All Rights Reserved.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Audit Documentation Audit documentation provides the necessary evidence Audit documentation should include. All rights reserved. 5 Key Terms Key Term Definition Continuous auditing This approach allows IS auditors to monitor system approach reliability on a continuous basis and to gather selective audit evidence through the computer. Task 1. backed by sufficient and appropriate audit evidence. 149 © Copyright 2016 ISACA. document the finding and explain the risk of using C.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Discussion Question Discussion Question Which of the following is the PRIMARY requirement in The MOST appropriate action for an IS auditor to take reporting results of an IS audit? The report is: when shared user accounts are discovered is to: A. 151 © Copyright 2016 ISACA. Conduct audit follow-ups to determine whether appropriate actions have been taken by management in a timely manner. 152 © Copyright 2016 ISACA. 38 . C. prepared according to a predefined and standard A. comprehensive in coverage of enterprise processes. reviewed and approved by audit management. All rights reserved. D. shared IDs. request that the IDs be removed from the system. B. © 2016. All rights reserved. B. 150 © Copyright 2016 ISACA. All rights reserved. All rights reserved. ISACA. template. inform the audit committee of the potential issue. review audit logs for the IDs in question. D. All Rights Reserved. purchasing. All rights reserved.2 Knowledge of risk assessment concepts. Furthermore.5 Knowledge of risk-based audit Not all open and recently closed findings and tools and techniques in planning.5 relate to each of the following How does Task 1.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Task to Knowledge Statements How does Task 1. This enables both the other applicable standards reasonable assurance that prior and existing identification and evaluation of controls in audit findings corrective actions are in place information systems. 39 ... the IS auditor must related to controls in information systems general control categories into a real-world Techniques. Guidelines. the IS auditor were appropriate and effective.g.3 Knowledge of fundamental business The IS auditor must be aware of the existing K1. follow-up activities must be properly communication techniques (e.5 relate to each of the following How does Task 1.5 relate to each of the following knowledge statements? knowledge statements? Knowledge Statement Connection Knowledge Statement Connection K1. including follow-up be able to use project management manner to address potential cyber threats that techniques to prioritize and schedule if left uncorrected could be exploited. observation. 156 © Copyright 2016 ISACA. the IS management summary. All Rights Reserved. © 2016.1 Knowledge of ISACA IS Audit and As per ISACA IS Audit and Assurance K1. aware of the status of IS audit findings computer-assisted audit techniques corrective actions. payroll. All rights reserved. Based on the risk posed by a finding. audit findings and the respective assessed audit report structure.4 Knowledge of control principles The IS auditor must be able translate Assurance Standards.. ISACA. All rights reserved. K1. [CAATs]) used to gather.10 Knowledge of audit quality The IS auditor should review the quality preserve audit evidence techniques that can be used to better assurance systems and frameworks systems and frameworks used by the perform the follow-up activities in a timely organization to address the IS audit manner. 155 © Copyright 2016 ISACA. evidence requirements. and operating effectively. accounts business processes and any changes to the regulations that affect the scope. Tools and Standards and Guidelines. the IS K1. result verification) corrective action status.7 Knowledge of evidence collection Just like the original audit. issue writing. auditor needs to ensure audit finding planning and audit project management are created equal. follow-up activities accordingly. activities may have specific timelines and IS in these processes follow-up to existing/prior audit findings.5 relate to each of the following knowledge statements? knowledge statements? Knowledge Statement Connection Knowledge Statement Connection K1. All rights reserved. Code of Professional Ethics and perform follow-up reviews to provide IS context.g. methodologies and other substantive/data will use recognized sampling techniques to analytical procedures gather and analyze data during the follow-up activities. and the IS auditor must examination. all IS audit K1. 153 © Copyright 2016 ISACA.9 Knowledge of reporting and The IS auditor will document and report the techniques (e. protect and auditor needs to identify automated K1. corrective action follow-up payable. accounts receivable) and the role of business processes that could affect the collection and preservation. documented and linked to the existing/prior facilitation. reporting and follow-up corrective actions are completed in a timely techniques. How does Task 1.8 Knowledge of different sampling As with the original IS audit. K1.6 Knowledge of applicable laws and Based on legal and regulatory processes (e. stakeholders to ensure these parties are forensic investigation techniques. negotiation. 154 © Copyright 2016 ISACA. findings and verify these methodologies K1.g. conflict resolution. data analysis. interview. follow-up activities to all relevant inspection. inquiry. and frequency of audits reporting requirements. Task 1.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Follow-up Activities How does Task 1.g. The results of the penetration test are inconclusive. In the Big Picture Discussion Question An IS auditor is reviewing security controls for a critical web- based system prior to implementation.).e. 159 © Copyright 2016 ISACA. may indicate the corrective actions are complete. All rights reserved. D. All Rights Reserved. etc.11 Knowledge of various types of audits Based on the type of audit (i. Publish a report omitting the areas where the evidence manner.. 160 © Copyright 2016 ISACA. © 2016. IS audit findings. C. methods for assessing and placing reliance auditor will need to know how to document on the work of other auditors or control and report the follow-up results. Results of the follow-up should be communicated to the appropriate level of management. internal. Which of the following is the BEST option for the IS auditor? The Big A. All rights reserved. If more A follow-up program should be implemented to manage entities recent audits have been performed that follow-up activities. All rights reserved. Inform management that audit work cannot be completed prior to implementation and recommend that the audit be postponed. responsibility to ensure that (e.. financial) and compliance. Publish a report based on the available information. 157 © Copyright 2016 ISACA. and the results will not be finalized prior to implementation. the IS management has taken appropriate corrective actions. Assurance Standard 1402 Follow-up Activities Knowledge Statement Connection K1. determine if the work performed is adequate to close the finding. external. ISACA. actions in response to all obtained from testing was inconclusive. responsible for the timely taken by management in a timely verification of corrective B. 158 © Copyright 2016 ISACA. 40 .5 Picture highlighting the potential security weaknesses and the Conduct audit follow-ups to determine whether appropriate actions have been The IS auditor is requirement for follow-up audit testing. Request a delay of the implementation date until additional security testing can be completed and evidence of appropriate controls can be obtained. the IS auditor will need to When the follow-up occurs depends on the criticality of the audit findings. investigations.5 relate to each of the following Auditing is an ongoing ISACA IS Audit and knowledge statements? process. All rights reserved. improve internal control procedures. All rights reserved. harden the network to industry good practices. ISACA IS Audit and Assurance Standards and B. The IS auditor must master written and verbal communications skills from planning through follow-up. 162 © Copyright 2016 ISACA. highlight the importance of incident response meeting industry-wide acceptance of their work product. contracts) or regulatory impacts. management to management. 164 © Copyright 2016 ISACA. improve employee awareness of the incident the IS audit engagement life cycle. 163 © Copyright 2016 ISACA.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Discussion Question Domain 1 Summary The PRIMARY objective of performing a postincident This Domain is the foundation of the professional review is that it presents an opportunity to: practice of IS audit and assurance. A risk-based approach must always be used throughout D. The IS auditor must know the business process that the Knowledge of evidence collection techniques ensures integrity and enables the accurate. All rights reserved. ISACA. All rights reserved. © 2016. 161 © Copyright 2016 ISACA. if not all. All Rights Reserved. A. representative of the populations in scope for the IS Most. All rights reserved. correct and timely analysis of data and information during the IS audit. The IS auditor must understand the types of controls that Sampling is critical to ensuring the testing is can be used to mitigate risk. response process. Guidelines enable the IS auditor to ensure they are C. IS audits now have either legal (business audit. 41 . as appropriate. All rights reserved. Development of a risk assessment 165 © Copyright 2016 ISACA. All rights reserved. B. systems and frameworks within the IS audit engagement Which of the following activities takes place during the and during follow-up activities. Identification of key information owners D.CISA Review Course 26th Edition Domain 1: The Process of Auditing Information Systems Discussion Question The IS auditor must know how to use other quality An internal IS audit function is planning a general IS audit. 166 © Copyright 2016 ISACA. Compliance testing D. Integrated test facility (ITF) 167 © Copyright 2016 ISACA. © 2016. Discussion Question Which of the following should an IS auditor use to detect duplicate invoice records within an invoice master file? A. FIRST step of the planning phase? The IS auditor must understand their role when using the A. Attribute sampling B. All rights reserved. 42 . Development of an audit program work of others where permissible and appropriate. Computer-assisted audit techniques (CAATs) C. Review of the audit charter C. All Rights Reserved. ISACA.