CISA Student Handout Domain1 PDF

CISA Review Course 26th Edition Domain 1: The Process of
Auditing Information Systems
ABOUT THE
CISA EXAM CISA EXAM
PREPARATION
©Copyright 2016 ISACA. All rights reserved.
Welcome! CISA Certification

This program is designed to prepare you for success on CISA certification benefits include:
the CISA exam, one step in the process of becoming
certified.
Helps you Confirms and
The program will include: Gives you a
achieve a high demonstrates
competitive
o Information about the CISA exam and certification professional your knowledge
edge
standard and experience
o Detailed coverage of the body of knowledge required
by CISA Quantifies and
Provides global
Increases your
recognition as a
o Activities, exam discussion questions, and group markets your
mark of
value to your
experience organization
discussions excellence
o Real-world examples of CISA subject matter
3 © Copyright 2016 ISACA. All rights reserved. 4 © Copyright 2016 ISACA. All rights reserved.
© 2016. ISACA. All Rights Reserved. 1

CISA Accreditation The CISA Exam

The American National Standards Institute (ANSI) has accredited The CISA exam is offered three times a year, in June,
CISA under ISO/IEC 17024:2012, General Requirements for September and December.
Bodies Operating Certification Schemes for Persons.
Exam registration dates:
Accreditation by ANSI achieves the following:
o Promotes the unique qualifications and expertise o Registration opens approximately eight months prior
certifications provide to exam date.
o Protects the integrity of the certifications and provides legal o Early registration ends approximately five months
defensibility prior to exam date.
o Enhances consumer and public confidence in the o Registration closes approximately eight weeks prior to
certifications and the people who hold them exam date.
o Facilitates mobility across borders or industries
Register at www.isaca.org.
More than 118,000 professionals have earned the CISA
certification since it was introduced in 1978.
About the CISA Exam Job Practice

The CISA Certification Working Group oversees the Domain 1: The
development of the CISA exam, ensuring that the job
Domain 5: Process of Auditing
Protection of Information
practice is properly tested. Information Assets,
25%
Systems, 21%
The exam consists of 150 multiple-choice questions

covering the CISA job practice domains.
Domain 2:
Governance and
Management of IT,
Domain 4: 16%
Information Systems
Operations,
Maintenance and
Service
Management, 20% Domain 3: Information
Systems Acquisition,
Development and
Implementation, 18%

Basis of the CISA Exam Pre-Course Question 1

The CISA exam is based on a job practice. Which of the following is the MOST important skill an IS
Topics that candidates are expected to understand are auditor should develop to understand the constraints of
conducting an audit?
described in a series of task and knowledge statements.
A. Contingency planning
o Task statements describe the specific tasks the CISA
candidate should be able to perform. B. IS management resource allocation
o Knowledge statements are the knowledge areas C. Project management
required in order for the candidate to perform the D. Knowledge of internal controls
tasks.
Test questions are specifically designed to validate that
the candidate possesses the knowledge to perform a
given task.
Pre-Course Question 2 Pre-Course Question 3

During an audit, an IS auditor notices that the IT department of a An IS auditor is evaluating a virtual machine based (VM-
medium-sized organization has no separate risk management
based) architecture used for all programming and testing
only contains a few broadly described types of IT risk. What is environments. The production architecture is a three-tier
the MOST appropriate recommendation in this situation? physical architecture. What is the MOST important IT
A. Create an IT risk management department and establish
an IT risk framework with the aid of external risk control to test to ensure availability and confidentiality of
management experts. the web application in production?
B. Use common industry standard aids to divide the A. Server configuration has been hardened appropriately.
existing risk documentation into several individual types
of risk which will be easier to handle. B. Allocated physical resources are available.
C. No recommendation is necessary because the current C. System administrators are trained to use the virtual
approach is appropriate for a medium-sized
organization. machine (VM) architecture.
D. Establish regular IT risk management meetings to D. The VM server is included in the disaster recovery plan
identify and assess risk, and create a mitigation plan as (DRP).

Pre-Course Question 4 Pre-Course Question 5

A database administrator has detected a performance Which of the following user profiles should be of MOST
problem with some tables, which could be solved through concern to an IS auditor when performing an audit of an
denormalization. This situation will increase the risk of: electronic funds transfer (EFT) system?
A. concurrent access. A. Three users with the ability to capture and verify their
B. deadlocks. own messages
C. unauthorized access to data. B. Five users with the ability to capture and send their own
D. a loss of data integrity. messages
C. Five users with the ability to verify other users and to
send their own messages
D. Three users with the ability to capture and verify the
messages of other users and to send their own
messages
Domain 1
Domain 1 Provide audit services in accordance

with IS audit standards to assist the
The Process of Auditing organization in protecting and controlling
Information Systems information systems.
©Copyright 2016 ISACA. All rights reserved. 16 © Copyright 2016 ISACA. All rights reserved.

Domain Objectives
The focus of Domain 1 is to encompass the entire The objective of this domain is to ensure that the CISA
practice of IS auditing, including a set of procedures and candidate has the knowledge necessary to:
a thorough methodology that allows an IS auditor to o Provide audit services in accordance with IS audit
perform an audit on any given IT area in a professional standards.
manner. o Assist the organization with protecting and controlling
information systems.
On the CISA Exam Domain Tasks

Domain 1 represents 21% of the questions on the CISA 1.1 Execute a risk-based IS audit strategy in compliance
exam (approximately 32 questions). with IS audit standards to ensure that key risk areas are
Domain 1 incorporates five tasks related to the process audited.
of auditing information systems. 1.2 Plan specific audits to determine whether information
systems are protected, controlled and provide value to
the organization.
1.3 Conduct audits in accordance with IS audit standards
to achieve planned audit objectives.

Task 1.1
1.4 Communicate audit results and make
recommendations to key stakeholders through meetings
and audit reports to promote change when necessary.
1.5 Conduct audit follow-ups to determine whether
appropriate actions have been taken by management in Execute a risk-based IS audit strategy in
a timely manner.
compliance with IS audit standards to
ensure that key risk areas are audited.
Key Terms
Key Term Definition Key Term Definition
Information systems The combination of strategic, managerial and Guideline A description of a particular way of accomplishing
(IS) operational activities involved in gathering, processing, something that is less prescriptive than a procedure.
storing, distributing and using information and its related Tools and Tools and techniques provide examples of processes an
technologies. Information systems are distinct from techniques IS auditor might follow in an audit engagement. The
information technology (IT) in that an information system tools and techniques documents provide information on
has an IT component that interacts with the process how to meet the standards when completing IS auditing
components. work but do not set requirements.
Standard A mandatory requirement, code of practice or
specification approved by a recognized external
standards organization, such as International
Organization for Standardization (ISO).

Task to Knowledge Statements

How does Task 1.1 relate to each of the following How does Task 1.1 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K1.1 Knowledge of ISACA IS Audit and In order to meet both the goals and K1.3 Knowledge of fundamental business Only through a clear understanding of the
Assurance Standards, Guidelines, and objective of an IS audit and the integrity of processes (e.g., purchasing, payroll, underlying business processes can the IS
Tools and Techniques, Code of the work product that supports the IS audit, accounts payable, accounts receivable) auditor truly understand the scope,
Professional Ethics and other applicable the IS auditor must know and understand and the role of IS in these processes purpose and focus for each IS audit
standards the core ISACA IS Audit and Assurance engagement.
Standards, Guidelines, and Tools and K1.5 Knowledge of risk-based audit The IS auditor must use well-developed
Techniques, and Code of Professional planning and audit project management project management techniques from
Ethics. techniques, including follow-up planning through audit follow-up activities
K1.2 Knowledge of risk assessment All IS auditors must be able to accurately to reasonably assure the timely and
concepts, and tools and techniques in and efficiently use risk assessment effective completion of IS audit
planning, examination, reporting and techniques to ensure the IS audit is engagements.
follow-up
profiles.
K1.6 Knowledge of applicable laws and On all IS audit engagements, legal (to include
K 1.11 Knowledge of various types of
regulations that affect the scope, evidence contracts with business partners) and
audits (e.g., internal, external, financial) professional career, he/she will be asked to
collection, and preservation and frequency of regulatory requirements must be part of the IS
and methods for assessing and placing lead and/or participate in a variety of IS
audits audit process. These requirements affect how
often and how many IS audits are performed reliance on the work of other auditors or and associated audits, investigations,
and also how the audit obtains, collects and control entities surveys and reviews.
protects evidence, reporting and follow-up.
K1.10 Knowledge of audit quality assurance Through the understand of quality assurance
systems and frameworks systems and frameworks, the IS auditor can:
Integrate the validated quality assurance
system (QAS) work product into the IS
audit.
Incorporate auditee QAS tools within the
recommendations to address monitoring
deficiencies.

IS Audit Function IS Auditor Skills

IS auditing is the formal examination, interview and/or ISACA IS Audit and Assurance Standards require that
testing of information systems to determine whether: the IS auditor be technically competent (1006
o Information systems are in compliance with applicable Proficiency).
laws, regulations, contracts and/or industry This is achieved through continuing education.
guidelines. CISA candidates do NOT need to memorize the ISACA
o IS data and information have appropriate levels of IS Audit and Assurance Standards, Guidelines, and
confidentiality, integrity and availability. Tools and Techniques, but they must be able to apply the
o IS operations are being accomplished efficiently, and standard, guideline or ISACA Code of Professional
effectiveness targets are being met. Ethics in a given situation.
Code of Professional Ethics

1. Support the implementation of, and encourage 4. Maintain the privacy and confidentiality of information
compliance with, appropriate standards, procedures for obtained in the course of their activities unless
the effective governance and management of disclosure is required by legal authority. Such
enterprise information systems and technology, information shall not be used for personal benefit or
including audit, control, security and risk management. released to inappropriate parties.
2. Perform their duties with objectivity, due diligence and 5. Maintain competency in their respective fields, and
professional care, in accordance with professional agree to undertake only those activities they can
standards. reasonably expect to complete with the necessary
3. Serve in the interest of stakeholders in a lawful manner, skills, knowledge and competence.
while maintaining high standards of conduct and
character, and not discrediting their profession or the
Association.

Standards and Guidelines

6. Inform appropriate parties of the results of work There are three categories of standards and guidelines:
performed, including the disclosure of all significant
facts known to them that, if not disclosed, may distort Category Description
the reporting of the results. General Apply to the conduct of all assignments, and deal with ethics,
(Guiding independence, objectivity and due care as well as
7. Support the professional education of stakeholders in principles) knowledge, competency and skill
enhancing their understanding of the governance and Performance Deal with the conduct of the assignment, such as planning
management of enterprise information systems and and supervision, scoping, risk and materiality, resource
technology, including audit, control, security and risk mobilization, supervision and assignment management, audit
and assurance evidence
management.
Reporting Address the types of reports, means of communication and
the information communicated
Standards
Standards contain statements of mandatory requirements. Failure to comply with these standards may result in an investigation
into the CISA by the ISACA Board of Directors or
These standards inform: appropriate ISACA group and, ultimately, in disciplinary action.
o IS audit and assurance professionals of the minimum
General Performance Reporting
level of acceptable performance required to meet the
professional responsibilities set out in the ISACA Code
1001 Audit Charter 1201 Engagement Planning 1401 Reporting
of Professional Ethics
1002 Organizational Independence 1202 Risk Assessment in Planning 1402 Follow-up Activities
1003 Professional Independence 1203 Performance and Supervision

o Management and other interested parties of the 1004 Reasonable Expectation 1204 Materiality
concerning the work of 1005 Due Professional Care 1205 Evidence
practitioners 1006 Proficiency 1206 Using the Work of Other Experts
o Holders of the CISA designation of their requirements 1007 Assertions 1207 Irregularity and Illegal Acts
1008 Criteria

Guidelines
The objective of the ISACA IS Audit and Assurance General Performance Reporting
Guidelines is to provide guidance and additional 2001 Audit Charter 2201 Engagement Planning 2401 Reporting
information on how to comply with the ISACA IS Audit 2002 Organizational Independence 2202 Risk Assessment in Planning 2402 Follow-up Activities
and Assurance Standards. 2003 Professional Independence 2203 Performance and Supervision
The IS auditor and assurance professional should:

2004 Reasonable Expectation 2204 Materiality
2005 Due Professional Care 2205 Evidence

o Consider these guidelines in determining how to
implement the standards.
2006 Proficiency 2206 Using the Work of Other Experts
2007 Assertions 2207 Irregularity and Illegal Acts
o Use professional judgment in applying the guidelines 2008 Criteria 2208 Sampling
to specific audits.
o Be able to justify any departure from the ISACA IS
Audit and Assurance Standards.
Tools and Techniques

The tools and techniques documents provide information ITAFTM is a reference model that establishes standards,
on how to meet the standards when performing IS defines terms and provides guidance on the planning,
auditing work but do not set requirements. conduct and reporting of IS auditing and assurance
Tools and techniques documents include: assignments.
o White papers
o Audit/Assurance programs
o COBIT 5 family of products
o Technical and Risk Management Reference series
o ISACA Journal IT Audit Basics

Relationship Laws and Regulations

Certain industries, such as banks and internet service
providers (ISPs), are closely regulated. These legal
regulations may pertain to financial, operational and IS
Guidelines audit functions.
Must be followed Provide examples
by the IS auditor of steps an
Provide auditor may follow There are two areas of concern that impact the audit
assistance on
how the auditor
to implement scope and objectives:
standards
can implement o Legal requirements placed on the audit
standards
Tools &
Standards o Legal requirements placed on the auditee and its
Techniques systems, data management, reporting, etc.
There may be cases where the legal/regulatory requirements are more

stringent than the ISACA IS Audit and Assurance Standards.
Laws and
Examples include:
IS auditor must:
o US Health Insurance Portability and Accountability Act
o Identify those government or other relevant external
(HIPAA)
requirements dealing with:
o US Sarbanes-Oxley Act of 2002
Electronic data, personal data, copyrights,
o Basel Accords e-commerce, e-signatures, etc.
o Protection of Personal Data Directives and Electronic Computer system practices and controls
Commerce within the European Community
The manner in which computers, programs and
data are stored
The organization or the activities of information
technology services
IS audits

Laws and CSA

Also, an IS auditor would perform these additional steps to
compliance: Control self-assessment (CSA) is an assessment of
o Document applicable laws and regulations.
controls made by the staff and management to assure
stakeholders, customers and other parties of the
o Assess whether management and the IT function have
considered the relevant external requirements in their plans, internal controls.
policies, standards and procedures, as well as business It can consist of simple questionnaires to facilitated
application features. workshops.
o Review internal IT department/function/activity documents Tools include:
that address adherence to laws applicable to the industry.
o Management meetings
o Determine adherence to procedures that address these
requirements. o Client workshops
o Determine if there are procedures in place to ensure o Worksheets
contracts or agreements with external IT services providers
o Rating sheets
reflect any legal requirements related to responsibilities.
CSA Objectives CSA Pros and Cons

The primary objective is to leverage the internal audit Advantages Disadvantages
function by shifting some of the control monitoring
Early detection of risk Mistaken as an audit function
responsibilities to the functional areas. replacement
More effective and improved
CSA empowers workers to assess or even design the internal controls Regarded as an additional
control environment. Creation of cohesive teams workload
through employee Failure to act on improvement
involvement suggestions could damage
in assessing their environment by providing insight about Developing sense of employee morale
ownership Lack of motivation may limit
the objectives of controls based on the risk assessment. effectiveness in the detection
Increased employee
awareness of weak controls
Increased communication
Improved audit rating process
Reduction in control cost
Assurance provided to
stakeholders and customers

Traditional vs. CSA In the Big Picture

Each task in the five domains contributes to the big picture of IS
Traditional CSA audit and control. The following shows one such connection. Can
you think of others?
Assigns duties/supervises staff Empowered/accountable employees
Policy/rule-driven Continuous improvement/learning
The Big
curve
Limited employee participation Extensive employee participation and

Task 1.1 Picture
training Through a focused
Execute a risk-based IS audit strategy
in compliance with IS audit standards risk-based approach, the
Narrow stakeholder focus Broad stakeholder focus to ensure that key risk areas are IS auditor will focus on
audited. those areas most
Auditors and other specialists Staff at all levels, in all functions, are important to the
the primary control analysts. organization.
Source: ISACA, CISA Review Manual 26th Edition, figure 1.12
Discussion Question Discussion Question

Due to resource constraints of the IS audit team, the audit Although management has stated otherwise, an IS auditor
plan as originally approved cannot be completed. Assuming has reasons to believe that the organization is using
that the situation is communicated in the audit report, which software that is not licensed. In this situation, the IS auditor
course of action is MOST acceptable? should FIRST:
A. Test the adequacy of the control design. A. include the statement from management in the audit
B. Test the operational effectiveness of controls. report.
C. Focus on auditing high-risk areas. B. verify the software is in use through testing.
D. Rely on management testing of controls. C. include the item in the audit report.
D. discuss the issue with senior management because
it could have a negative impact on the organization.

Task 1.2 Key Terms

Key Term Definition
Audit plan A plan containing the nature, timing and extent of audit
procedures to be performed by engagement team
members in order to obtain sufficient appropriate audit
Plan specific audits to determine whether

evidence to form an opinion; includes the areas to be
audited, the type of work planned, the high-level
information systems are protected,

objectives and scope of the work and topics such as
budget, resource allocation, schedule dates, type of
controlled and provide value to the report and its intended audience, and other general
aspects of the work
organization. Audit risk The probability that information or financial reports may
contain material errors and that the auditor may not
detect an error that has occurred

Key Term Definition How does Task 1.2 relate to each of the following
Audit universe An inventory of audit areas that is compiled and knowledge statements?
maintained to identify areas for audit during the audit
planning process Knowledge Statement Connection
Reasonable A level of comfort short of a guarantee but considered K1.1 Knowledge of ISACA IS Audit and By following ISACA standards and
assurance adequate given the costs of the control and the likely Assurance Standards, Guidelines, Tools guidelines for planning, the IS audit
benefits achieved and Techniques, Code of Professional organization charter will charge the IS
Ethics and other applicable standards auditor to always consider the protection of
IS systems and the value derived from the
systems within all IS audit engagements.
K1.2 Knowledge of risk assessment In order to ensure the IS audit focuses on
concepts, and tools and techniques in the most important IS security, operations,
planning, examination, reporting and functions and capabilities being reviewed,
follow-up the IS auditor must be able to effectively
and efficiently assess the risk to these
objectives.

K1.3 Knowledge of fundamental business Only through a thorough understanding of K1.5 Knowledge of risk-based audit Using risk assessments performed by the
processes (e.g., purchasing, payroll, the business processes supported by the planning and audit project management organization along with project
accounts payable, accounts receivable) IS can the IS auditor properly plan the IS techniques, including follow-up management techniques, the IS auditor
and the role of IS in these processes audit engagement. can properly focus time and resources
K1.4 Knowledge of control principles The controls that should be in place and needed to assess IS processes required to
related to controls in information systems the scope of the IS audit are based on the protect and deliver value to the
inherent risk associated with the business organization.
processes supported by IS and the IS K1.6 Knowledge of applicable laws and Specific laws and regulations will require
systems themselves. regulations that affect the scope, evidence specific system, process, data and
collection, and preservation and frequency information protections (controls) that must
of audits be assessed by the IS auditor.
Audit Planning
How does Task 1.2 relate to each of the following The first step in performing an IS audit is adequate
knowledge statements? planning.
Knowledge Statement Connection To plan an audit, the following tasks must be completed:
K1.10 Knowledge of audit quality Using the correct quality assurance o List all the processes that may be considered for the
assurance systems and frameworks construct will assist the IS auditor in
ensuring the scope and purpose are
audit.
aligned with system protection and value o Evaluate each process by performing a qualitative or
quantitative risk assessment. These evaluations
delivery.
K1.11 Knowledge of various types of audits Based on the type and complexity of the
(e.g., internal, external, financial) and business processes and IS systems the IS should be based on objective criteria.
methods for assessing and placing reliance
on the work of other auditors or control
auditor has been assigned to audit, he/she
will need to select the correct IS audit o Define the overall risk of each process.
entities approach to ensure the protection of the
data, information and IS supporting the
o Construct an audit plan to include all of the processes
processes under audit. that are rated
annual audit plan.

When To Audit
Audit planning includes short-term and long-term In addition to a yearly analysis of short-term and
planning. long-term issues, individual audits may be conducted
o Short-term planning involves all audit issues that will based on the following:
be covered during the year. o New control issues
o Long-term planning takes into account all risk-related o Changes in risk environment, technologies and
business processes
strategic direction. o Enhanced evaluation techniques
Audit Planning Steps

In order to plan an audit, the IS auditor must have an Also, to plan for an audit, the IS auditor should:
understanding of the overall environment under review. o Perform a risk analysis to help in designing the audit
To accomplish this task, the IS auditor should: plan.
o Gain an understanding of the mission, o Set the audit scope and audit objectives.
objectives, purpose and processes. o Develop the audit approach or audit strategy.
o Understand changes in business environment of the o Assign personnel resources to the audit.
auditee.
o Address engagement logistics.
o Review prior work papers.
o Identify stated contents, such as policies, standards
and required guidelines, procedures and organization
structure.

Additional Considerations
The audit plan should take into consideration the Other ways the IS auditor can gain this information
objectives of the IS audit relevant to the audit area and include:
its technology infrastructure and business strategic o Interviewing key managers to understand business
direction. The IS auditor can gain this information by: issues
o Reading background material, including industry o Identifying specific regulations applicable to IT
publications, annual reports and independent financial o Identifying IT functions or related activities that have
analysis reports been outsourced
o Reviewing prior audit reports or IT-related reports o Touring key organization facilities
(from external or internal audits, or specific reviews
such as regulatory reviews) The IS auditor must also match available audit
resources, such as staff, with the tasks defined in the
o Reviewing business and IT long-term strategic plans audit plan.
Risk Analysis
During audit planning, the IS auditor must perform or IS auditors are often focused on high-risk issues
review a risk analysis to identify risks and vulnerabilities associated with confidentiality, integrity and availability of
in order to determine the controls needed to mitigate sensitive and critical information.
those risks.
o Understand the relationship between risk and control.

o Identify and differentiate risk types and the controls
used to mitigate the risk.
o Evaluate risk assessment and management
techniques used by the organization.
o Understand that risk exists as part of the audit
process.

Risk Management Process Risk Response
Risk Response Options
Risk mitigation Applying appropriate controls

to reduce the risk
Risk acceptance Knowingly and objectively
not taking action, providing the risk clearly
risk acceptance
Risk avoidance Avoiding risk by not allowing
actions that would cause the risk to occur
Risk transfer/sharing Transferring the
associated risk to other parties
Risk Assessment Risk Assessment Process

Using risk assessment to
A risk assessment assists the IS auditor in determine areas to be audited:
identifying risk and threats to an IT environment and o Enables management to
IS system, and it helps in the evaluation of controls.
effectively allocate limited
audit resources
Prepare for Assessment
Risk assessments should identify, quantify and o Ensures that relevant Conduct Assessment
prioritize risk against criteria for risk acceptance and

information has been Identify Threat Sources and Events
obtained from all levels of

objectives relevant to the organization. management
Identify Vulnerabilities and Predisposing Conditions
Communicate Maintain
Results Assessment
It supports risk-based audit decision making by

o Establishes a basis for
Determine Likelihood of Occurrence
effectively managing the

considering variables, such as:
Determine Magnitude of Impact
audit department
o Technical complexity o Provides a summary of how

Determine Risk
the individual audit subject

o Level of control procedures in place is related to the overall
organization as well as to
o Level of financial loss
Source: National Institute of Standards and Technology (NIST), NIST
the business plans Special Publication 800-30, Revision 1: Information Security, USA,
2012. Reprinted courtesy of the National Institute of Standards and
Technology, U.S. Department of Commerce. Not copyrightable in the
United States.

Risk-based Auditing Internal Controls

Gather Information and Plan Internal controls are normally composed of policies,
procedures, practices and organizational structures that
Knowledge of business and industry Regulatory statutes
Inherent risk assessments
Recent financial information
are implemented to reduce risk to the organization.
Obtain Understanding of Internal Control
Control environment Control risk assessment Internal controls should address:
Control procedures Equate total risk
Detection risk assessment o What should be achieved?
Identify key controls to be tested.
Perform Compliance Tests
Perform tests on reliability, risk
o What should be avoided?
prevention and adherence to
organization policies and procedures.
Perform Substantive Tests

Analytical procedures Other substantive audit procedures
Detailed tests of account balances
Conclude the Audit

Create recommendations. Write audit report.
Control Classification IS Control Objectives

Class Function IS control objectives are statements of the desired result
Preventive Detect problems before they arise.
Monitor both operation and inputs.
achieved by implementing controls. They provide
Attempt to predict potential problems before they occur and make reasonable assurance that the business objectives will
adjustments.
Prevent an error, omission or malicious act from occurring.
be achieved and undesired events will be prevented,
Segregate duties (deterrent factor). detected or corrected.
Control access to physical facilities.
Use well-designed documents (prevent errors).
Detective Use controls that detect and report the occurrence of an error,
omission or malicious act.
Corrective Minimize the impact of a threat.
Remedy problems discovered by detective controls.
Identify the cause of a problem.
Correct errors arising from a problem.
Modify the processing system(s) to minimize future occurrences of
the problem.

General Controls
IS control objectives may also include:
General controls include:
o Safeguarding assets
Internal accounting controls that concern the safeguarding
o System development life cycle (SDLC) processes are of assets and reliability of financial information
established, in place and operating effectively Operational controls that concern day-to-day operations,
o Integrity of general operating system (OS) functions and activities
environments Administrative controls that concern operational efficiency
in a functional area and adherence to management
o Integrity of sensitive and critical application system policies
environments Organizational security policies and procedures to ensure
o Appropriate identification and authentication of users proper usage of assets
o The efficiency and effectiveness of operations Overall policies for the design and use of adequate
documents and records
o Integrity and reliability of systems by implementing
Access and use procedures and practices
effective change management procedures
Physical and logical security policies for all facilities
IS Specific Controls
Each general control can be translated into an Additional IS control procedures include:
IS-specific control. The IS auditor should understand IS o Operations procedures
controls and how to apply them in planning an audit. o Systems programming and technical support
IS control procedures include: functions
o Strategy and direction of the IT function o Quality assurance (QA) procedures
o General organization and management of the IT o Physical access controls
function o Business continuity planning (BCP)/disaster recovery
o Access to IT resources, including data and programs planning (DRP)
o Systems development methodologies and change o Networks and communications
control o Database administration
o Protection and detective mechanisms against internal
and external attacks

COBIT 5 Types of Audits

Type Description
comprehensive framework for Compliance Compliance audits include specific tests of controls to
governance and management of 1. Meeting audits demonstrate adherence to specific regulatory or industry
enterprise IT. It helps enterprises standards. Examples include Payment Card Industry Data
stakeholder
needs
create optimal value from IT by Security Standard (PCI DSS) audits for companies that
maintaining a balance between 5. Separating 2. Covering process credit card data and Health Insurance Portability and
Accountability Act (HIPAA) audits for companies that handle
governance the
realizing benefits and optimizing

from enterprise
management end-to-end
health care data.

risk levels and resource use.
COBIT 5
Principles
Financial The purpose of a financial audit is to assess the accuracy of

audits financial reporting. It often involves detailed, substantive
4. Enabling
3. Applying testing, although increasingly, auditors are placing more
emphasis on a risk- and control-based audit approach. This
a single
a holistic
integrated
approach
framework
kind of audit relates to financial information integrity and

reliability.
Source: ISACA, COBIT 5, USA, 2012, figure 2
Type Description Type Description

Operational An operational audit is designed to evaluate the internal Forensic audits Forensic auditing has been defined as auditing specialized in
audits control structure in a given process or area. Examples include discovering, disclosing and following up on fraud and crimes.
IS audits of application controls or logical security systems. The primary purpose of such a review is the development of
Administrative These are oriented to assess issues related to the efficiency evidence for review by law enforcement and judicial
audits of operational productivity within an organization. authorities.
IS audits This process collects and evaluates evidence to determine Integrated An integrated audit combines financial and operational audit
whether the information systems and related resources audits steps. It is performed to assess the overall objectives within
adequately safeguard assets, maintain data and system
integrity and availability, provide relevant and reliable safeguarding, efficiency and compliance.
information, achieve organizational goals effectively, and
consume resources efficiently. Also, do they have, in effect,
internal controls that provide reasonable assurance that
business, operational and control objectives will be met and
that undesired events will be prevented, or detected and
corrected, in a timely manner.

Integrated Audit
An integrated audit focuses The process typically involves:
on risk. It involves a team o Identification of risk faced by
the organization for the area
of auditors with different being audited
skill sets working together o Identification of relevant key
to provide a Operational Financial
controls
Operational Financial
Audit Audit Audit Audit
comprehensive report. o Review and understanding of
the design of key controls
o Testing that key controls are
supported by the IT system
IS Audit IS Audit
o Testing that management
controls operate effectively
o A combined report or opinion
on control risk, design and
weaknesses
Source: ISACA, CISA Review Manual 26th Edition, Source: ISACA, CISA Review Manual 26th Edition,
figure 1.13 figure 1.13
Continuous Auditing
Continuous auditing is characterized by the short time This process must be carefully built into the business
lapse between the audit, the collection of evidence and applications and may include IT techniques such as:
the audit reporting. o Transaction logging
It results in better monitoring of financial issues, such as o Query tools
fraud, ensuring that real-time transactions benefit from o Statistics and data analysis (CAAT)
real-time monitoring.
o Database management systems (DBMS)
Continuous auditing should be independent of
continuous controls and continuous monitoring. o Intelligent agents

Continuous Audit Methodology

For continuous auditing to succeed, it needs to have: An audit methodology is a set of documented audit
o A high degree of automation. procedures designed to achieve planned audit
o Alarm triggers to report timely control failures. objectives. Its components are a statement of scope,
o Implementation of highly automated audit tools that require audit objectives and audit programs.
the IS auditor to be involved in setting up the parameters. Each audit department should design and approve an
o The ability to quickly inform IS auditors of the results of audit methodology that is formalized and communicated
automated procedures, particularly when the process has to all audit staff.
identified anomalies or errors. An audit program should be developed to serve as a
o Quick and timely issuance of automated audit reports. guide for performing and documenting all of the audit
o Technically proficient IS auditors. steps, and the extent and types of evidential matter
o Availability of reliable sources of evidence. reviewed.
o Adherence to materiality guidelines.
Audit Phases
Audit Phase Description Audit Phase Description
Audit subject Identify the area to be audited. Audit Identify and select the audit approach to verify and test the
Audit objective Identify the purpose of the audit. procedures controls.
and steps for Identify a list of individuals to interview.
Audit scope Identify the specific systems, function or unit of the data gathering Identify and obtain departmental policies, standards and
organization to be included in the review. guidelines for review.
Preaudit Identify technical skills and resources needed. Develop audit tools and methodology to test and verify
planning Identify the sources of information for test or review, such control.
as functional flow charts, policies, standards, procedures Procedures for Identify methods (including tools) to perform the evaluation.
and prior audit work papers. evaluating the Identify criteria for evaluating the test (similar to a test
Identify locations or facilities to be audited. test or review script for the IS auditor to use in conducting the
Develop a communication plan at the beginning of each results evaluation).
engagement that describes who to communicate to, when, Identify means and resources to confirm the evaluation
how often and for what purpose(s). was accurate (and repeatable, if applicable).
Source: ISACA, CISA Review Manual 26th Edition, figure 1.7 Source: ISACA, CISA Review Manual 26th Edition, figure 1.7

In the Big Picture

Audit Phase Description
Procedures for Determine frequency of communication.
communication Prepare documentation for final report.
The Big
with
management
Audit report Disclose follow-up review procedures. Task 1.2 Picture
preparation Disclose procedures to evaluate/test operational efficiency Plan specific audits to determine The IS auditor will always
and effectiveness. whether information systems are focus on the protection of
Disclose procedures to test controls. protected, controlled and provide value critical data, information
Review and evaluate the soundness of documents, policies to the organization. and IS components that
are of greatest value to
and procedures.
the organization.

The internal IS audit team is auditing controls over sales An IS auditor is determining the appropriate sample size for
returns and is concerned about fraud. Which of the testing the existence of program change approvals. Previous
following sampling methods would BEST assist the IS audits did not indicate any exceptions, and management has
auditors? confirmed that no exceptions have been reported for the
review period. In this context, the IS auditor can adopt a:
A. Stop-or-go
A. lower confidence coefficient, resulting in a smaller
B. Classical variable
sample size.
C. Discovery
B. higher confidence coefficient, resulting in a smaller
D. Probability-proportional-to-size sample size.
C. higher confidence coefficient, resulting in a larger
sample size.
D. lower confidence coefficient, resulting in a larger
sample size.

Task 1.3 Key Terms

Key Term Definition
Audit evidence The information used to support the audit opinion.
Audit objective The specific goal(s) of an audit. These often center on
substantiating the existence of internal controls to
minimize business risk.
Conduct audits in accordance with IS Audit program A step-by-step set of audit procedures and instructions
audit standards to achieve planned audit

that should be performed to complete an audit.
Computer-assisted Any automated audit technique, such as generalized
objectives. audit technique
(CAAT)
audit software (GAS), test data generators,
computerized audit programs and specialized audit
utilities.

Evidence The information an IS auditor gathers in the course of knowledge statements?
performing an IS audit; relevant if it pertains to the audit
objectives and has a logical relationship to the findings Knowledge Statement Connection
and conclusions it is used to support.
K1.1 Knowledge of ISACA IS Audit and Only through following the ISACA
Materiality An auditing concept regarding the importance of an item Assurance Standards, Guidelines, Tools established and industry accepted IS audit
of information with regard to its impact or effect on the and Techniques, Code of Professional and assurance standards and guidelines
functioning of the entity being audited; an expression of Ethics and other applicable standards will the IS auditor be able to reasonably
the relative significance or importance of a particular ensure both work product integrity and
matter in the context of the organization as a whole. acceptance by all interested stakeholders.
K1.2 Knowledge of risk assessment The IS auditor must focus on the risks to
concepts, and tools and techniques in
planning, examination, reporting and data, information and critical system
follow-up components to reasonably ensure the IS
audit will achieve its stated purpose.

K1.3 Knowledge of fundamental business of the K1.5 Knowledge of risk-based audit Knowing your key risks will enable you to
processes (e.g., purchasing, payroll, business process being supported by the planning and audit project management focus on the key objectives for the IS audit;
accounts payable, accounts receivable) IS provides reasonable assurance the IS techniques, including follow-up hence, you will meet the primary objectives
and the role of IS in these processes audit will achieve the intended IS audit for the engagement.
objectives. K1.6 Knowledge of applicable laws and Almost all IS audits will involve both legal
K1.4 Knowledge of control principles The IS auditor will need to address the key regulations that affect the scope, evidence and regulatory compliance aspects.
related to controls in information systems controls required to address the critical collection, and preservation and frequency These should always be a consideration in
risks to business processes and the IS of audits the IS audit engagement objectives.
supporting the processes along with data
and information.
K1.7 Knowledge of evidence collection In order to meet the stated business K1.9 Knowledge of reporting and The IS auditor must establish and maintain
techniques (e.g., observation, inquiry, objectives, the evidence must be obtained, communication techniques (e.g., clear and effective lines of communication
inspection, interview, data analysis, collected, analyzed and evaluated in the facilitation, negotiation, conflict resolution, from the planning through follow-up stages
forensic investigation techniques, most efficient and effective manner while audit report structure, issue writing, of all IS audit engagements.
computer-assisted audit techniques always protecting its integrity. Through the management summary, result verification)
[CAATs]) used to gather, protect and use of IS audit tools and techniques, the IS K1.10 Knowledge of audit quality There may be guidelines and additional
preserve audit evidence audit can realize these requirements. assurance systems and frameworks audit procedures that an IS auditor may
K1.8 Knowledge of different sampling Beyond the sheer volume of data and data wish to add in order to develop an opinion
methodologies and other substantive/data sources an IS auditor is facing on each on the proper functioning of controls.
analytical procedures engagement, the IS auditor must ensure
sampling techniques are used that enable
the analysis to be representative of the
overall transactional population (both IS
system and business operations).

IS Audit Steps
How does Task 1.3 relate to each of the following Define the audit scope.
knowledge statements?
Formulate the audit objectives.
Knowledge Statement Connection
K1.11 Knowledge of various types of audits Recognizing that many recent, current and
(e.g., internal, external, financial) and upcoming audits may provide Identify the audit criteria.
methods for assessing and placing reliance adequate depth and coverage of areas
on the work of other auditors or control
entities could enable the IS auditor to place Perform audit procedures.
the standards of professional Review and evaluate evidence.

practice and testing needed to provide
reasonable assurance that the IS
controls are operating effectively, efficiently Form audit conclusions and opinions.
and are aligned with both current
and planned organizational goals and
objectives.
Report to management after discussion with key process owners.
IS Audit Project Management Internal vs. External Audits

Plan the audit engagement. Internal Audit External Audit
Plan the audit considering project-specific risk.
The scope and objectives of the The scope and objectives of the
audit function within the audit are documented in a
Build the audit plan. organization and is not specific formal contract or statement of
to a particular IS audit. work.
Chart the necessary audit tasks across a time line, optimizing
resource use. Make realistic estimates of the time requirements for
each task with proper consideration given to the availability of the The audit charter is a document approved by those charged with
auditee.
governance that defines the purpose, authority and responsibility of
Execute the plan. the internal audit activity. It must be approved by the highest level of
management or the audit committee.
Execute audit tasks against the plan.
An engagement letter is a formal document which defines an IS
Monitor project activity.
assignment. It does not replace an audit charter.
IS auditors report their actual progress against planned audit steps
to ensure challenges are managed proactively and the scope is
completed within time and budget.

Audit Objectives Audit Risk

A key element in IS audit planning is translating basic Audit risk can be defined as the risk that information may
audit objectives into specific IS audit objectives. contain a material error that may go undetected during
Audit objectives refer to the specific goals that must be the course of the audit.
accomplished by the audit. They are often focused on
validating that internal controls exist and are effective at
minimizing business risk.
Audit risk is influenced by: The IS auditor should have a good understanding of
o Inherent risk the risk level or exposure of the audit risk when planning an audit.
process/entity to be audited without taking into Proper sampling procedures and strong quality control
account the controls that management has processes can minimize detection risk.
implemented
o risk that a material error exists that
would not be prevented or detected on a timely basis
by the system of internal controls
o
misstatements have occurred that will not be detected
by the IS auditor
o
contain material errors

Audit Programs Program Procedures

An audit program is a step-by-step set of audit General Audit Procedures
Procedures for Testing and
Evaluating IS Controls
procedures and instructions that should be performed to
Obtaining and recording an The use of generalized audit
complete an audit. understanding of the audit software to survey the contents of
area/subject data files (including system logs)
Audit programs are based on the scope and objective of A risk assessment and general The use of specialized software to
the particular assignment. audit plan and schedule assess the contents of OS
Detailed audit planning database and application parameter
It is the audit strategy and plan. Preliminary review of the audit files
area/subject Flow-charting techniques for
It identifies scope, audit objectives and audit procedures Evaluating the audit area/subject documenting automated
to obtain sufficient, relevant and reliable evidence to Verifying and evaluating the
applications and business
processes
appropriateness of controls
draw and support audit conclusions and opinions. designed to meet control objectives The use of audit logs/reports
available in operation/application
Compliance testing
systems
Substantive testing
Documentation review
Reporting
Inquiry and observation
Follow-up
Walk-throughs
Reperformance of controls
Fraud Detection Testing Methods

The presence of internal controls does not altogether Compliance testing:
eliminate fraud. o Tests of control designed to obtain audit evidence on
Legislation and regulations relating to corporate both the effectiveness of the controls and their
governance cast significant responsibilities on operation during the audit period.
management, auditors and the audit committee Substantive testing:
regarding detection and disclosure of any fraud, whether o Obtaining audit evidence on the completeness,
material or not. accuracy or existence of activities or transactions
The IS auditor should be aware of potential legal during the audit period.
requirements concerning the implementation
of specific fraud detection
procedures and reporting ISACA IS Audit and Assurance
Standard 1005 Due
fraud to appropriate Professional Care
authorities.

Testing Process Evidence

This figure shows the relationship between compliance and Evidence is any information used by ISACA IS Audit and
substantive testing and describes the two categories of the IS auditor to determine whether Assurance Standard
substantive tests. the entity or data being audited follows 1205 Evidence
the established criteria or objectives
and supports audit conclusions.
Some types of evidence are more reliable than others.
Reliability is determined by:
o The independence of the evidence provider
o The qualifications of the evidence provider
o The objectivity of the evidence
o The timing of the evidence
The IS auditor must focus on the objectives of the audit
and not on the nature of the evidence.
Evidence is considered competent when it is both valid
and relevant.
Evidence Gathering Techniques Interviews and Observations

Observing personnel in the performance of their duties
Review IS Review IS
Review IS assists an IS auditor in identifying:
organizational policies and
standards.
structures. procedures.
Actual
Actual Security Reporting
processes/
Observe functions awareness relationships
Interview procedures
Review IS processes and
appropriate
documentation. employee Note that personnel may change their behavior if they
personnel.
performances.
know they are being observed. Therefore, combine
observations with interviews, which can provide
adequate assurance that personnel have the required
Conduct a Conduct
reperformance. walkthroughs. technical skills.

Sampling Sampling Methods

Sampling is used when time and cost constrain the Attribute sampling
ability to test all transactions or events. o Deals with the presence
Proportional
There are two approaches to sampling: or absence of an attribute
Attribute sampling
o Statistical sampling uses an objective method to o Expressed in rates of Stop-or-go sampling
determine the sample size and selection criteria. incidence Discovery sampling
o Non- o Generally used in
judgment to determine the sample size and selection compliance testing
criteria.
Sampling Key Terms

Variable sampling
o Deals with population
Variable Term Definition
Confidence A percentage expression of the probability that the characteristics of the
characteristics that vary, coefficient sample are a true representation of the population. The greater the
Stratified mean per unit
such as monetary values
confidence coefficient, the larger the sample size.
Unstratified mean per unit Level of risk Equal to one minus the confidence coefficient. For example, if the
and weights Difference estimation confidence coefficient is 95 percent, the level of risk is five percent.
o Provides conclusions Precision Set by the IS auditor, it represents the acceptable range difference
between the sample and the actual population.
related to deviations from Expected error An estimate stated as a percent of the errors that may exist. The greater
the norm rate the expected error rate, the greater the sample size. Applied to attribute
o Generally used in
sampling only.
substantive testing

Sampling Steps
Term Definition
Sample mean The sum of all sample values divided by the size of the sample. The
sample mean measures the average value of the sample.
Determine
Sample standard Computes the variance of the sample values from the mean of the Define the Determine
the
deviation sample. Sample standard deviation measures the spread or dispersion
population. the method.
of the sample values. objectives.
Tolerable error Describes the maximum misstatement or number of errors that can exist
rate without an account being materially misstated. It is used for the planned
upper limit of the precision range for compliance testing. The term is
expressed as a percentage.
Population A mathematical concept that measures the relationship to the normal
standard distribution. The greater the standard deviation, the larger the sample Evaluate the Select the Calculate the
sample. sample. sample size.
deviation size. Applied to variable sampling formulas only.
Source: ISACA, Fundamentals of IS Audit and Assurance Training Course, USA, 2014
CAATs
CAATs help IS auditors collect sufficient, relevant and CAATs include many tools and techniques, such as:
useful evidence that may only exist in electronic form. o Generalized audit software (GAS)
They are particularly useful when auditing systems that o Utility software
have different hardware and software environments, o Debugging and scanning software
data structures, record formats or processing functions.
o Test data
o Application software tracing and
mapping
o Expert systems

CAAT Considerations Evaluation of Controls

Before the use of a CAAT, consider: After gathering evidence, the IS auditor can use a control
o Ease of use, both for existing and future audit staff matrix to assess the strengths and weaknesses of the
o Training requirements controls and determine if they are effective at meeting
o Complexity of coding and maintenance
the control objectives.
o Flexibility of uses
o Installation requirements
The IS auditor should always review for compensating
o Processing efficiencies (especially with a PC CAAT) controls before reporting control weaknesses.
o Effort required to bring the source data into the CAATs for analysis The IS auditor must keep the concept of materiality in
o Ensuring the integrity of imported data by safeguarding their mind and judge what would be significant to different
authenticity levels of management.
o Recording the time stamp of data downloaded at critical processing
points to sustain the credibility of the review
o Obtaining permission to install the software on the auditee servers
o Reliability of the software
o Confidentiality of the data being processed
In the Big Picture Discussion Question

Which of the following is the BEST factor for determining
the required extent of data collection during the planning
phase of an IS compliance audit?
The Big A.
Picture B. Findings and issues noted from the prior year
Task 1.3 ISACA IS Audit and
Conduct audits in accordance with IS Assurance Standards C. Purpose, objective and scope of the audit
D.
audit standards to achieve planned provide consistent and
audit objectives. proven industry-accepted
methods and techniques
to achieve the IS audit
objectives.

Discussion Question Task 1.4

Which of the following does a lack of adequate controls
represent?
A. An impact
B. A vulnerability
Communicate audit results and make
C. An asset
D. A threat
recommendations to key stakeholders
through meetings and audit reports to
promote change when necessary.
Key Terms Task to Knowledge Statements

Audit report knowledge statements?
management.
Stakeholder Anyone who has a responsibility for, an expectation from
or some other interest in the enterprise. K1.1 Knowledge of ISACA IS Audit and Knowledge of the ISACA IS Audit and
Assurance Standards, Guidelines, and Assurance Standards, Guidelines, and
Tools and Techniques, Code of Tools and Techniques enable the IS auditor
Professional Ethics and other applicable to establish clear and effective
standards communications to the key stakeholders.
K1.2 Knowledge of risk assessment Using a risk-based approach will enable
concepts, and tools and techniques in the IS auditor to communicate the most
planning, examination, reporting and relevant and critical information throughout
follow-up the IS audit engagement.

K1.3 Knowledge of fundamental business K1.6 Knowledge of applicable laws and Based on specific legal and regulatory
processes (e.g., purchasing, payroll, business processes along with the regulations that affect the scope, evidence requirements applicable to the IS audit, the
accounts payable, accounts receivable) business specific terminology will enable collection and preservation, IS auditor will provide relevant reporting as
and the role of IS in these processes clear and effective communications to the and frequency of audits to compliance with these requirements and
key stakeholders. enable stakeholders to take required
actions to ensure compliance.
K1.9 Knowledge of reporting and The IS auditor must be able to speak to all K1.10 Knowledge of audit quality Through the use of quality assurance
communication techniques (e.g., levels of the organization to explain the assurance systems and frameworks systems and frameworks (CSA, Lean Six
facilitation, negotiation, conflict results of the IS audit. The line Sigma, etc.), the IS auditor can be a
resolution, audit report structure, issue management through the board of directors facilitator of positive and effective change
writing, management summary, result each have their specific needs for to the organization.
verification) information related to the IS audit, and the K1.11 Knowledge of various types of audits Based on the type of audit approach used,
IS auditor must be able to tailor the (e.g., internal, external, financial) and the IS auditor as the subject matter expert
communications of these results methods for assessing and placing reliance can deliver effective and change-provoking
accordingly. on the work of other auditors or control communications to stakeholders.
entities

Communication of Results
The IS auditor communicates the audit results in an exit Before communicating results of the audit to senior
interview with management. management, the IS auditor should discuss the findings
During the exit interview, the IS auditor should: with the key process owners to gain an agreement on
o Ensure that the facts presented in the report are the findings and develop a course of corrective action.
correct. IS auditors should feel free to communicate issues or
o Ensure that the recommendations are realistic and concerns with senior management or the audit
cost-effective, and if not, seek alternatives through committee.
negotiation with auditee management.
o Recommend implementation dates for agreed upon
recommendations.
The IS auditor can present the results of the audit in an
executive summary or a visual presentation.
Audit Report Audit Report Structure

Audit reports present the The audit report format and structure is dependent on the
ISACA IS Audit and
Assurance Standard have the following structure and content:
recommendations to 1401 Reporting o An introduction to the report, including the audit objectives,
management. They are the limitations and scope, the period of audit coverage, and a
general statement on the procedures conducted and
end product of the IS audit work. processes examined during the audit, followed by a statement
on the IS audit methodology and guidelines
The report should be balanced, describing not only
o Audit findings, often grouped in sections by materiality and/or
negative issues in terms of findings but positive intended recipient
constructive comments regarding improving processes o
and controls or effective controls already in place. adequacy of controls and procedures, and the actual potential
risk identified as a consequence of detected deficiencies
o
the audit
o Detailed audit findings and recommendations
o A variety of findings, some of which may be quite material
while others are minor in nature

Audit Documentation
Audit documentation provides the necessary evidence Audit documentation should include, at a minimum, a
that support the audit findings and conclusions. record of the following:
It should be clear, complete, and easily retrievable. o Planning and preparation of the audit scope and
It is the property of the auditing entity and should only be objectives
accessible to authorized personnel. o Description and/or walk-throughs on the scoped audit
All audit documentation should be: area
o Dated o Audit program
o Initialed o Audit steps performed and audit evidence gathered
o Page-numbered ISACA IS Audit and o Use of services of other auditors and experts
Assurance Guideline 2203
o Self-contained Performance and Supervision
o Audit findings, conclusions and recommendations
o Properly labeled o Audit documentation relation with document
o Kept in custody identification and dates
In the Big Picture

Documentation must include all information required by
laws and regulations, contractual stipulations and
professional standards.
The Big
Task 1.4 Picture
The IS auditor must
Communicate audit results and make provide stakeholders
recommendations to key stakeholders clear, concise and easily
through meetings and audit reports to understood
promote change when necessary. communications
throughout all IS audit
engagements.


Which of the following is the PRIMARY requirement in The MOST appropriate action for an IS auditor to take
reporting results of an IS audit? The report is: when shared user accounts are discovered is to:
A. prepared according to a predefined and standard A. inform the audit committee of the potential issue.
template. B. review audit logs for the IDs in question.
B. backed by sufficient and appropriate audit evidence. C. document the finding and explain the risk of using
C. comprehensive in coverage of enterprise processes. shared IDs.
D. reviewed and approved by audit management. D. request that the IDs be removed from the system.
Task 1.5 Key Terms
Key Term Definition

Continuous auditing This approach allows IS auditors to monitor system
approach reliability on a continuous basis and to gather selective
audit evidence through the computer.
Conduct audit follow-ups to determine

whether appropriate actions have been
taken by management in a timely manner.


K1.1 Knowledge of ISACA IS Audit and As per ISACA IS Audit and Assurance K1.4 Knowledge of control principles The IS auditor must be able translate
Assurance Standards, Guidelines, Tools and Standards and Guidelines, the IS auditor must related to controls in information systems general control categories into a real-world
Techniques, Code of Professional Ethics and perform follow-up reviews to provide IS context. This enables both the
other applicable standards reasonable assurance that prior and existing
identification and evaluation of controls in
audit findings corrective actions are in place
information systems.
and operating effectively.
K1.2 Knowledge of risk assessment concepts, Based on the risk posed by a finding, the IS
K1.5 Knowledge of risk-based audit Not all open and recently closed findings
and tools and techniques in planning, auditor needs to ensure audit finding planning and audit project management are created equal, and the IS auditor must
examination, reporting and follow-up corrective actions are completed in a timely techniques, including follow-up be able to use project management
manner to address potential cyber threats that techniques to prioritize and schedule
if left uncorrected could be exploited. follow-up activities accordingly.
K1.3 Knowledge of fundamental business The IS auditor must be aware of the existing K1.6 Knowledge of applicable laws and Based on legal and regulatory
processes (e.g., purchasing, payroll, accounts business processes and any changes to the regulations that affect the scope, evidence requirements, corrective action follow-up
payable, accounts receivable) and the role of business processes that could affect the collection and preservation, activities may have specific timelines and
IS in these processes follow-up to existing/prior audit findings. and frequency of audits reporting requirements.
K1.7 Knowledge of evidence collection Just like the original audit, all IS audit K1.9 Knowledge of reporting and The IS auditor will document and report the
techniques (e.g., observation, inquiry, follow-up activities must be properly communication techniques (e.g., follow-up activities to all relevant
inspection, interview, data analysis, documented and linked to the existing/prior facilitation, negotiation, conflict resolution, stakeholders to ensure these parties are
forensic investigation techniques, audit findings and the respective assessed audit report structure, issue writing, aware of the status of IS audit findings
computer-assisted audit techniques corrective actions. Furthermore, the IS management summary, result verification) corrective action status.
[CAATs]) used to gather, protect and auditor needs to identify automated
K1.10 Knowledge of audit quality The IS auditor should review the quality
preserve audit evidence techniques that can be used to better
assurance systems and frameworks systems and frameworks used by the
perform the follow-up activities in a timely
organization to address the IS audit
manner.
findings and verify these methodologies
K1.8 Knowledge of different sampling As with the original IS audit, the IS auditor were appropriate and effective.
methodologies and other substantive/data will use recognized sampling techniques to
analytical procedures gather and analyze data during the
follow-up activities.

Follow-up Activities
How does Task 1.5 relate to each of the following Auditing is an ongoing ISACA IS Audit and
knowledge statements? process. Assurance Standard
1402 Follow-up Activities
K1.11 Knowledge of various types of audits Based on the type of audit (i.e.,
responsibility to ensure that
(e.g., internal, external, financial) and compliance, investigations, etc.), the IS management has taken appropriate corrective actions.
methods for assessing and placing reliance auditor will need to know how to document
on the work of other auditors or control and report the follow-up results. If more A follow-up program should be implemented to manage
entities recent audits have been performed that follow-up activities.
may indicate the corrective actions are
complete, the IS auditor will need to When the follow-up occurs depends on the criticality of
the audit findings.
determine if the work performed is
adequate to close the finding.
Results of the follow-up should be communicated to the
appropriate level of management.
In the Big Picture Discussion Question

An IS auditor is reviewing security controls for a critical web-
based system prior to implementation. The results of the
penetration test are inconclusive, and the results will not be
finalized prior to implementation. Which of the following is the
BEST option for the IS auditor?
The Big
A. Publish a report based on the available information,
Task 1.5 Picture highlighting the potential security weaknesses and the
Conduct audit follow-ups to determine
whether appropriate actions have been
The IS auditor is requirement for follow-up audit testing.
responsible for the timely
taken by management in a timely verification of corrective B. Publish a report omitting the areas where the evidence
manner. actions in response to all obtained from testing was inconclusive.
IS audit findings.
C. Request a delay of the implementation date until
additional security testing can be completed and
evidence of appropriate controls can be obtained.
D. Inform management that audit work cannot be
completed prior to implementation and recommend that
the audit be postponed.

Discussion Question Domain 1 Summary

The PRIMARY objective of performing a postincident This Domain is the foundation of the professional
review is that it presents an opportunity to: practice of IS audit and assurance.
A. improve internal control procedures. ISACA IS Audit and Assurance Standards and
B. harden the network to industry good practices. Guidelines enable the IS auditor to ensure they are
C. highlight the importance of incident response meeting industry-wide acceptance of their work product.
management to management. A risk-based approach must always be used throughout
D. improve employee awareness of the incident the IS audit engagement life cycle.
response process.
The IS auditor must know the business process that the Knowledge of evidence collection techniques ensures
integrity and enables the accurate, correct and timely
analysis of data and information during the IS audit.
The IS auditor must understand the types of controls that Sampling is critical to ensuring the testing is
can be used to mitigate risk. representative of the populations in scope for the IS
Most, if not all, IS audits now have either legal (business audit.
contracts) or regulatory impacts. The IS auditor must master written and verbal
communications skills from planning through follow-up.

Discussion Question
The IS auditor must know how to use other quality An internal IS audit function is planning a general IS audit.
systems and frameworks within the IS audit engagement Which of the following activities takes place during the
and during follow-up activities, as appropriate. FIRST step of the planning phase?
The IS auditor must understand their role when using the A. Development of an audit program
work of others where permissible and appropriate. B. Review of the audit charter
C. Identification of key information owners
D. Development of a risk assessment
Discussion Question
Which of the following should an IS auditor use to detect
duplicate invoice records within an invoice master file?
A. Attribute sampling
B. Computer-assisted audit techniques (CAATs)
C. Compliance testing
D. Integrated test facility (ITF)
167 © Copyright 2016 ISACA. All rights reserved.

CISA Student Handout Domain1 PDF

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

CISA Student Handout Domain1 PDF

Diunggah oleh

Hak Cipta:

Format Tersedia

CISA Review Course 26th Edition Domain 1: The Process of

Auditing Information Systems

©Copyright 2016 ISACA. All rights reserved.

Welcome! CISA Certification

© 2016. ISACA. All Rights Reserved. 1

CISA Accreditation The CISA Exam

About the CISA Exam Job Practice

The exam consists of 150 multiple-choice questions

© 2016. ISACA. All Rights Reserved. 2

Basis of the CISA Exam Pre-Course Question 1

Pre-Course Question 2 Pre-Course Question 3

© 2016. ISACA. All Rights Reserved. 3

Pre-Course Question 4 Pre-Course Question 5

Domain 1 Provide audit services in accordance

© 2016. ISACA. All Rights Reserved. 4

On the CISA Exam Domain Tasks

© 2016. ISACA. All Rights Reserved. 5

© 2016. ISACA. All Rights Reserved. 6

Task to Knowledge Statements

© 2016. ISACA. All Rights Reserved. 7

IS Audit Function IS Auditor Skills

Code of Professional Ethics

© 2016. ISACA. All Rights Reserved. 8

Standards and Guidelines

1003 Professional Independence 1203 Performance and Supervision

© 2016. ISACA. All Rights Reserved. 9

The IS auditor and assurance professional should:

2005 Due Professional Care 2205 Evidence

2007 Assertions 2207 Irregularity and Illegal Acts

Tools and Techniques

© 2016. ISACA. All Rights Reserved. 10

Relationship Laws and Regulations

There may be cases where the legal/regulatory requirements are more

© 2016. ISACA. All Rights Reserved. 11

Laws and CSA

CSA Objectives CSA Pros and Cons

© 2016. ISACA. All Rights Reserved. 12

Traditional vs. CSA In the Big Picture

Policy/rule-driven Continuous improvement/learning

Limited employee participation Extensive employee participation and

Source: ISACA, CISA Review Manual 26th Edition, figure 1.12

Discussion Question Discussion Question

© 2016. ISACA. All Rights Reserved. 13

Task 1.2 Key Terms

Plan specific audits to determine whether

information systems are protected,

Task to Knowledge Statements

© 2016. ISACA. All Rights Reserved. 14

© 2016. ISACA. All Rights Reserved. 15

Audit Planning Steps

© 2016. ISACA. All Rights Reserved. 16

o Understand the relationship between risk and control.

© 2016. ISACA. All Rights Reserved. 17

Risk Management Process Risk Response

Risk Response Options

Risk mitigation Applying appropriate controls

Risk Assessment Risk Assessment Process

prioritize risk against criteria for risk acceptance and

obtained from all levels of

It supports risk-based audit decision making by

effectively managing the

o Technical complexity o Provides a summary of how

the individual audit subject