ABOUT THE
CISA EXAM CISA EXAM
PREPARATION
3 © Copyright 2016 ISACA. All rights reserved. 4 © Copyright 2016 ISACA. All rights reserved.
5 © Copyright 2016 ISACA. All rights reserved. 6 © Copyright 2016 ISACA. All rights reserved.
Domain 2:
Governance and
Management of IT,
Domain 4: 16%
Information Systems
Operations,
Maintenance and
Service
Management, 20% Domain 3: Information
Systems Acquisition,
Development and
Implementation, 18%
7 © Copyright 2016 ISACA. All rights reserved. 8 © Copyright 2016 ISACA. All rights reserved.
9 © Copyright 2016 ISACA. All rights reserved. 10 © Copyright 2016 ISACA. All rights reserved.
11 © Copyright 2016 ISACA. All rights reserved. 12 © Copyright 2016 ISACA. All rights reserved.
13 © Copyright 2016 ISACA. All rights reserved. 14 © Copyright 2016 ISACA. All rights reserved.
Domain 1
©Copyright 2016 ISACA. All rights reserved. 16 © Copyright 2016 ISACA. All rights reserved.
Domain Objectives
The focus of Domain 1 is to encompass the entire The objective of this domain is to ensure that the CISA
practice of IS auditing, including a set of procedures and candidate has the knowledge necessary to:
a thorough methodology that allows an IS auditor to o Provide audit services in accordance with IS audit
perform an audit on any given IT area in a professional standards.
manner. o Assist the organization with protecting and controlling
information systems.
17 © Copyright 2016 ISACA. All rights reserved. 18 © Copyright 2016 ISACA. All rights reserved.
19 © Copyright 2016 ISACA. All rights reserved. 20 © Copyright 2016 ISACA. All rights reserved.
Task 1.1
1.4 Communicate audit results and make
recommendations to key stakeholders through meetings
and audit reports to promote change when necessary.
1.5 Conduct audit follow-ups to determine whether
appropriate actions have been taken by management in Execute a risk-based IS audit strategy in
a timely manner.
compliance with IS audit standards to
ensure that key risk areas are audited.
21 © Copyright 2016 ISACA. All rights reserved. 22 © Copyright 2016 ISACA. All rights reserved.
Key Terms
Key Term Definition Key Term Definition
Information systems The combination of strategic, managerial and Guideline A description of a particular way of accomplishing
(IS) operational activities involved in gathering, processing, something that is less prescriptive than a procedure.
storing, distributing and using information and its related Tools and Tools and techniques provide examples of processes an
technologies. Information systems are distinct from techniques IS auditor might follow in an audit engagement. The
information technology (IT) in that an information system tools and techniques documents provide information on
has an IT component that interacts with the process how to meet the standards when completing IS auditing
components. work but do not set requirements.
Standard A mandatory requirement, code of practice or
specification approved by a recognized external
standards organization, such as International
Organization for Standardization (ISO).
23 © Copyright 2016 ISACA. All rights reserved. 24 © Copyright 2016 ISACA. All rights reserved.
25 © Copyright 2016 ISACA. All rights reserved. 26 © Copyright 2016 ISACA. All rights reserved.
How does Task 1.1 relate to each of the following How does Task 1.1 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K1.6 Knowledge of applicable laws and On all IS audit engagements, legal (to include
K 1.11 Knowledge of various types of
regulations that affect the scope, evidence contracts with business partners) and
audits (e.g., internal, external, financial) professional career, he/she will be asked to
collection, and preservation and frequency of regulatory requirements must be part of the IS
and methods for assessing and placing lead and/or participate in a variety of IS
audits audit process. These requirements affect how
often and how many IS audits are performed reliance on the work of other auditors or and associated audits, investigations,
and also how the audit obtains, collects and control entities surveys and reviews.
protects evidence, reporting and follow-up.
K1.10 Knowledge of audit quality assurance Through the understand of quality assurance
systems and frameworks systems and frameworks, the IS auditor can:
Integrate the validated quality assurance
system (QAS) work product into the IS
audit.
Incorporate auditee QAS tools within the
recommendations to address monitoring
deficiencies.
27 © Copyright 2016 ISACA. All rights reserved. 28 © Copyright 2016 ISACA. All rights reserved.
29 © Copyright 2016 ISACA. All rights reserved. 30 © Copyright 2016 ISACA. All rights reserved.
31 © Copyright 2016 ISACA. All rights reserved. 32 © Copyright 2016 ISACA. All rights reserved.
33 © Copyright 2016 ISACA. All rights reserved. 34 © Copyright 2016 ISACA. All rights reserved.
Standards
Standards contain statements of mandatory requirements. Failure to comply with these standards may result in an investigation
into the CISA by the ISACA Board of Directors or
These standards inform: appropriate ISACA group and, ultimately, in disciplinary action.
o IS audit and assurance professionals of the minimum
General Performance Reporting
level of acceptable performance required to meet the
professional responsibilities set out in the ISACA Code
1001 Audit Charter 1201 Engagement Planning 1401 Reporting
of Professional Ethics
1002 Organizational Independence 1202 Risk Assessment in Planning 1402 Follow-up Activities
o Holders of the CISA designation of their requirements 1007 Assertions 1207 Irregularity and Illegal Acts
1008 Criteria
35 © Copyright 2016 ISACA. All rights reserved. 36 © Copyright 2016 ISACA. All rights reserved.
Guidelines
The objective of the ISACA IS Audit and Assurance General Performance Reporting
Guidelines is to provide guidance and additional 2001 Audit Charter 2201 Engagement Planning 2401 Reporting
information on how to comply with the ISACA IS Audit 2002 Organizational Independence 2202 Risk Assessment in Planning 2402 Follow-up Activities
and Assurance Standards. 2003 Professional Independence 2203 Performance and Supervision
o Use professional judgment in applying the guidelines 2008 Criteria 2208 Sampling
to specific audits.
o Be able to justify any departure from the ISACA IS
Audit and Assurance Standards.
37 © Copyright 2016 ISACA. All rights reserved. 38 © Copyright 2016 ISACA. All rights reserved.
39 © Copyright 2016 ISACA. All rights reserved. 40 © Copyright 2016 ISACA. All rights reserved.
41 © Copyright 2016 ISACA. All rights reserved. 42 © Copyright 2016 ISACA. All rights reserved.
Laws and
Examples include:
IS auditor must:
o US Health Insurance Portability and Accountability Act
o Identify those government or other relevant external
(HIPAA)
requirements dealing with:
o US Sarbanes-Oxley Act of 2002
Electronic data, personal data, copyrights,
o Basel Accords e-commerce, e-signatures, etc.
o Protection of Personal Data Directives and Electronic Computer system practices and controls
Commerce within the European Community
The manner in which computers, programs and
data are stored
The organization or the activities of information
technology services
IS audits
43 © Copyright 2016 ISACA. All rights reserved. 44 © Copyright 2016 ISACA. All rights reserved.
45 © Copyright 2016 ISACA. All rights reserved. 46 © Copyright 2016 ISACA. All rights reserved.
47 © Copyright 2016 ISACA. All rights reserved. 48 © Copyright 2016 ISACA. All rights reserved.
The Big
curve
49 © Copyright 2016 ISACA. All rights reserved. 50 © Copyright 2016 ISACA. All rights reserved.
51 © Copyright 2016 ISACA. All rights reserved. 52 © Copyright 2016 ISACA. All rights reserved.
53 © Copyright 2016 ISACA. All rights reserved. 54 © Copyright 2016 ISACA. All rights reserved.
55 © Copyright 2016 ISACA. All rights reserved. 56 © Copyright 2016 ISACA. All rights reserved.
How does Task 1.2 relate to each of the following How does Task 1.2 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K1.3 Knowledge of fundamental business Only through a thorough understanding of K1.5 Knowledge of risk-based audit Using risk assessments performed by the
processes (e.g., purchasing, payroll, the business processes supported by the planning and audit project management organization along with project
accounts payable, accounts receivable) IS can the IS auditor properly plan the IS techniques, including follow-up management techniques, the IS auditor
and the role of IS in these processes audit engagement. can properly focus time and resources
K1.4 Knowledge of control principles The controls that should be in place and needed to assess IS processes required to
related to controls in information systems the scope of the IS audit are based on the protect and deliver value to the
inherent risk associated with the business organization.
processes supported by IS and the IS K1.6 Knowledge of applicable laws and Specific laws and regulations will require
systems themselves. regulations that affect the scope, evidence specific system, process, data and
collection, and preservation and frequency information protections (controls) that must
of audits be assessed by the IS auditor.
57 © Copyright 2016 ISACA. All rights reserved. 58 © Copyright 2016 ISACA. All rights reserved.
Audit Planning
How does Task 1.2 relate to each of the following The first step in performing an IS audit is adequate
knowledge statements? planning.
Knowledge Statement Connection To plan an audit, the following tasks must be completed:
K1.10 Knowledge of audit quality Using the correct quality assurance o List all the processes that may be considered for the
assurance systems and frameworks construct will assist the IS auditor in
ensuring the scope and purpose are
audit.
aligned with system protection and value o Evaluate each process by performing a qualitative or
quantitative risk assessment. These evaluations
delivery.
K1.11 Knowledge of various types of audits Based on the type and complexity of the
(e.g., internal, external, financial) and business processes and IS systems the IS should be based on objective criteria.
methods for assessing and placing reliance
on the work of other auditors or control
auditor has been assigned to audit, he/she
will need to select the correct IS audit o Define the overall risk of each process.
entities approach to ensure the protection of the
data, information and IS supporting the
o Construct an audit plan to include all of the processes
processes under audit. that are rated
annual audit plan.
59 © Copyright 2016 ISACA. All rights reserved. 60 © Copyright 2016 ISACA. All rights reserved.
When To Audit
Audit planning includes short-term and long-term In addition to a yearly analysis of short-term and
planning. long-term issues, individual audits may be conducted
o Short-term planning involves all audit issues that will based on the following:
be covered during the year. o New control issues
o Long-term planning takes into account all risk-related o Changes in risk environment, technologies and
business processes
strategic direction. o Enhanced evaluation techniques
61 © Copyright 2016 ISACA. All rights reserved. 62 © Copyright 2016 ISACA. All rights reserved.
63 © Copyright 2016 ISACA. All rights reserved. 64 © Copyright 2016 ISACA. All rights reserved.
Additional Considerations
The audit plan should take into consideration the Other ways the IS auditor can gain this information
objectives of the IS audit relevant to the audit area and include:
its technology infrastructure and business strategic o Interviewing key managers to understand business
direction. The IS auditor can gain this information by: issues
o Reading background material, including industry o Identifying specific regulations applicable to IT
publications, annual reports and independent financial o Identifying IT functions or related activities that have
analysis reports been outsourced
o Reviewing prior audit reports or IT-related reports o Touring key organization facilities
(from external or internal audits, or specific reviews
such as regulatory reviews) The IS auditor must also match available audit
resources, such as staff, with the tasks defined in the
o Reviewing business and IT long-term strategic plans audit plan.
65 © Copyright 2016 ISACA. All rights reserved. 66 © Copyright 2016 ISACA. All rights reserved.
Risk Analysis
During audit planning, the IS auditor must perform or IS auditors are often focused on high-risk issues
review a risk analysis to identify risks and vulnerabilities associated with confidentiality, integrity and availability of
in order to determine the controls needed to mitigate sensitive and critical information.
those risks.
67 © Copyright 2016 ISACA. All rights reserved. 68 © Copyright 2016 ISACA. All rights reserved.
risk acceptance
Risk avoidance Avoiding risk by not allowing
actions that would cause the risk to occur
Risk transfer/sharing Transferring the
associated risk to other parties
Source: ISACA, CISA Review Manual 26th Edition, figure 1.3
69 © Copyright 2016 ISACA. All rights reserved. 70 © Copyright 2016 ISACA. All rights reserved.
Risk assessments should identify, quantify and o Ensures that relevant Conduct Assessment
audit department
71 © Copyright 2016 ISACA. All rights reserved. 72 © Copyright 2016 ISACA. All rights reserved.
73 © Copyright 2016 ISACA. All rights reserved. 74 © Copyright 2016 ISACA. All rights reserved.
75 © Copyright 2016 ISACA. All rights reserved. 76 © Copyright 2016 ISACA. All rights reserved.
General Controls
IS control objectives may also include:
General controls include:
o Safeguarding assets
Internal accounting controls that concern the safeguarding
o System development life cycle (SDLC) processes are of assets and reliability of financial information
established, in place and operating effectively Operational controls that concern day-to-day operations,
o Integrity of general operating system (OS) functions and activities
environments Administrative controls that concern operational efficiency
in a functional area and adherence to management
o Integrity of sensitive and critical application system policies
environments Organizational security policies and procedures to ensure
o Appropriate identification and authentication of users proper usage of assets
o The efficiency and effectiveness of operations Overall policies for the design and use of adequate
documents and records
o Integrity and reliability of systems by implementing
Access and use procedures and practices
effective change management procedures
Physical and logical security policies for all facilities
77 © Copyright 2016 ISACA. All rights reserved. 78 © Copyright 2016 ISACA. All rights reserved.
IS Specific Controls
Each general control can be translated into an Additional IS control procedures include:
IS-specific control. The IS auditor should understand IS o Operations procedures
controls and how to apply them in planning an audit. o Systems programming and technical support
IS control procedures include: functions
o Strategy and direction of the IT function o Quality assurance (QA) procedures
o General organization and management of the IT o Physical access controls
function o Business continuity planning (BCP)/disaster recovery
o Access to IT resources, including data and programs planning (DRP)
o Systems development methodologies and change o Networks and communications
control o Database administration
o Protection and detective mechanisms against internal
and external attacks
79 © Copyright 2016 ISACA. All rights reserved. 80 © Copyright 2016 ISACA. All rights reserved.
create optimal value from IT by Security Standard (PCI DSS) audits for companies that
maintaining a balance between 5. Separating 2. Covering process credit card data and Health Insurance Portability and
Accountability Act (HIPAA) audits for companies that handle
governance the
81 © Copyright 2016 ISACA. All rights reserved. 82 © Copyright 2016 ISACA. All rights reserved.
83 © Copyright 2016 ISACA. All rights reserved. 84 © Copyright 2016 ISACA. All rights reserved.
Integrated Audit
An integrated audit focuses The process typically involves:
on risk. It involves a team o Identification of risk faced by
the organization for the area
of auditors with different being audited
skill sets working together o Identification of relevant key
to provide a Operational Financial
controls
Operational Financial
Audit Audit Audit Audit
comprehensive report. o Review and understanding of
the design of key controls
o Testing that key controls are
supported by the IT system
IS Audit IS Audit
o Testing that management
controls operate effectively
o A combined report or opinion
on control risk, design and
weaknesses
Source: ISACA, CISA Review Manual 26th Edition, Source: ISACA, CISA Review Manual 26th Edition,
figure 1.13 figure 1.13
85 © Copyright 2016 ISACA. All rights reserved. 86 © Copyright 2016 ISACA. All rights reserved.
Continuous Auditing
Continuous auditing is characterized by the short time This process must be carefully built into the business
lapse between the audit, the collection of evidence and applications and may include IT techniques such as:
the audit reporting. o Transaction logging
It results in better monitoring of financial issues, such as o Query tools
fraud, ensuring that real-time transactions benefit from o Statistics and data analysis (CAAT)
real-time monitoring.
o Database management systems (DBMS)
Continuous auditing should be independent of
continuous controls and continuous monitoring. o Intelligent agents
87 © Copyright 2016 ISACA. All rights reserved. 88 © Copyright 2016 ISACA. All rights reserved.
89 © Copyright 2016 ISACA. All rights reserved. 90 © Copyright 2016 ISACA. All rights reserved.
Audit Phases
Audit Phase Description Audit Phase Description
Audit subject Identify the area to be audited. Audit Identify and select the audit approach to verify and test the
Audit objective Identify the purpose of the audit. procedures controls.
and steps for Identify a list of individuals to interview.
Audit scope Identify the specific systems, function or unit of the data gathering Identify and obtain departmental policies, standards and
organization to be included in the review. guidelines for review.
Preaudit Identify technical skills and resources needed. Develop audit tools and methodology to test and verify
planning Identify the sources of information for test or review, such control.
as functional flow charts, policies, standards, procedures Procedures for Identify methods (including tools) to perform the evaluation.
and prior audit work papers. evaluating the Identify criteria for evaluating the test (similar to a test
Identify locations or facilities to be audited. test or review script for the IS auditor to use in conducting the
Develop a communication plan at the beginning of each results evaluation).
engagement that describes who to communicate to, when, Identify means and resources to confirm the evaluation
how often and for what purpose(s). was accurate (and repeatable, if applicable).
Source: ISACA, CISA Review Manual 26th Edition, figure 1.7 Source: ISACA, CISA Review Manual 26th Edition, figure 1.7
91 © Copyright 2016 ISACA. All rights reserved. 92 © Copyright 2016 ISACA. All rights reserved.
The Big
with
management
Audit report Disclose follow-up review procedures. Task 1.2 Picture
preparation Disclose procedures to evaluate/test operational efficiency Plan specific audits to determine The IS auditor will always
and effectiveness. whether information systems are focus on the protection of
Disclose procedures to test controls. protected, controlled and provide value critical data, information
Review and evaluate the soundness of documents, policies to the organization. and IS components that
are of greatest value to
and procedures.
the organization.
93 © Copyright 2016 ISACA. All rights reserved. 94 © Copyright 2016 ISACA. All rights reserved.
95 © Copyright 2016 ISACA. All rights reserved. 96 © Copyright 2016 ISACA. All rights reserved.
Conduct audits in accordance with IS Audit program A step-by-step set of audit procedures and instructions
97 © Copyright 2016 ISACA. All rights reserved. 98 © Copyright 2016 ISACA. All rights reserved.
99 © Copyright 2016 ISACA. All rights reserved. 100 © Copyright 2016 ISACA. All rights reserved.
How does Task 1.3 relate to each of the following How does Task 1.3 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K1.3 Knowledge of fundamental business of the K1.5 Knowledge of risk-based audit Knowing your key risks will enable you to
processes (e.g., purchasing, payroll, business process being supported by the planning and audit project management focus on the key objectives for the IS audit;
accounts payable, accounts receivable) IS provides reasonable assurance the IS techniques, including follow-up hence, you will meet the primary objectives
and the role of IS in these processes audit will achieve the intended IS audit for the engagement.
objectives. K1.6 Knowledge of applicable laws and Almost all IS audits will involve both legal
K1.4 Knowledge of control principles The IS auditor will need to address the key regulations that affect the scope, evidence and regulatory compliance aspects.
related to controls in information systems controls required to address the critical collection, and preservation and frequency These should always be a consideration in
risks to business processes and the IS of audits the IS audit engagement objectives.
supporting the processes along with data
and information.
101 © Copyright 2016 ISACA. All rights reserved. 102 © Copyright 2016 ISACA. All rights reserved.
How does Task 1.3 relate to each of the following How does Task 1.3 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K1.7 Knowledge of evidence collection In order to meet the stated business K1.9 Knowledge of reporting and The IS auditor must establish and maintain
techniques (e.g., observation, inquiry, objectives, the evidence must be obtained, communication techniques (e.g., clear and effective lines of communication
inspection, interview, data analysis, collected, analyzed and evaluated in the facilitation, negotiation, conflict resolution, from the planning through follow-up stages
forensic investigation techniques, most efficient and effective manner while audit report structure, issue writing, of all IS audit engagements.
computer-assisted audit techniques always protecting its integrity. Through the management summary, result verification)
[CAATs]) used to gather, protect and use of IS audit tools and techniques, the IS K1.10 Knowledge of audit quality There may be guidelines and additional
preserve audit evidence audit can realize these requirements. assurance systems and frameworks audit procedures that an IS auditor may
K1.8 Knowledge of different sampling Beyond the sheer volume of data and data wish to add in order to develop an opinion
methodologies and other substantive/data sources an IS auditor is facing on each on the proper functioning of controls.
analytical procedures engagement, the IS auditor must ensure
sampling techniques are used that enable
the analysis to be representative of the
overall transactional population (both IS
system and business operations).
103 © Copyright 2016 ISACA. All rights reserved. 104 © Copyright 2016 ISACA. All rights reserved.
IS Audit Steps
How does Task 1.3 relate to each of the following Define the audit scope.
knowledge statements?
Formulate the audit objectives.
Knowledge Statement Connection
K1.11 Knowledge of various types of audits Recognizing that many recent, current and
(e.g., internal, external, financial) and upcoming audits may provide Identify the audit criteria.
methods for assessing and placing reliance adequate depth and coverage of areas
on the work of other auditors or control
entities could enable the IS auditor to place Perform audit procedures.
105 © Copyright 2016 ISACA. All rights reserved. 106 © Copyright 2016 ISACA. All rights reserved.
109 © Copyright 2016 ISACA. All rights reserved. 110 © Copyright 2016 ISACA. All rights reserved.
Audit risk is influenced by: The IS auditor should have a good understanding of
o Inherent risk the risk level or exposure of the audit risk when planning an audit.
process/entity to be audited without taking into Proper sampling procedures and strong quality control
account the controls that management has processes can minimize detection risk.
implemented
o risk that a material error exists that
would not be prevented or detected on a timely basis
by the system of internal controls
o
misstatements have occurred that will not be detected
by the IS auditor
o
contain material errors
111 © Copyright 2016 ISACA. All rights reserved. 112 © Copyright 2016 ISACA. All rights reserved.
113 © Copyright 2016 ISACA. All rights reserved. 114 © Copyright 2016 ISACA. All rights reserved.
115 © Copyright 2016 ISACA. All rights reserved. 116 © Copyright 2016 ISACA. All rights reserved.
117 © Copyright 2016 ISACA. All rights reserved. 118 © Copyright 2016 ISACA. All rights reserved.
119 © Copyright 2016 ISACA. All rights reserved. 120 © Copyright 2016 ISACA. All rights reserved.
121 © Copyright 2016 ISACA. All rights reserved. 122 © Copyright 2016 ISACA. All rights reserved.
o Provides conclusions Precision Set by the IS auditor, it represents the acceptable range difference
between the sample and the actual population.
related to deviations from Expected error An estimate stated as a percent of the errors that may exist. The greater
the norm rate the expected error rate, the greater the sample size. Applied to attribute
o Generally used in
sampling only.
substantive testing
123 © Copyright 2016 ISACA. All rights reserved. 124 © Copyright 2016 ISACA. All rights reserved.
Sampling Steps
Term Definition
Sample mean The sum of all sample values divided by the size of the sample. The
sample mean measures the average value of the sample.
Determine
Sample standard Computes the variance of the sample values from the mean of the Define the Determine
the
deviation sample. Sample standard deviation measures the spread or dispersion
population. the method.
of the sample values. objectives.
Tolerable error Describes the maximum misstatement or number of errors that can exist
rate without an account being materially misstated. It is used for the planned
upper limit of the precision range for compliance testing. The term is
expressed as a percentage.
Population A mathematical concept that measures the relationship to the normal
standard distribution. The greater the standard deviation, the larger the sample Evaluate the Select the Calculate the
sample. sample. sample size.
deviation size. Applied to variable sampling formulas only.
Source: ISACA, Fundamentals of IS Audit and Assurance Training Course, USA, 2014
125 © Copyright 2016 ISACA. All rights reserved. 126 © Copyright 2016 ISACA. All rights reserved.
CAATs
CAATs help IS auditors collect sufficient, relevant and CAATs include many tools and techniques, such as:
useful evidence that may only exist in electronic form. o Generalized audit software (GAS)
They are particularly useful when auditing systems that o Utility software
have different hardware and software environments, o Debugging and scanning software
data structures, record formats or processing functions.
o Test data
o Application software tracing and
mapping
o Expert systems
127 © Copyright 2016 ISACA. All rights reserved. 128 © Copyright 2016 ISACA. All rights reserved.
129 © Copyright 2016 ISACA. All rights reserved. 130 © Copyright 2016 ISACA. All rights reserved.
131 © Copyright 2016 ISACA. All rights reserved. 132 © Copyright 2016 ISACA. All rights reserved.
133 © Copyright 2016 ISACA. All rights reserved. 134 © Copyright 2016 ISACA. All rights reserved.
135 © Copyright 2016 ISACA. All rights reserved. 136 © Copyright 2016 ISACA. All rights reserved.
How does Task 1.4 relate to each of the following How does Task 1.4 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K1.3 Knowledge of fundamental business K1.6 Knowledge of applicable laws and Based on specific legal and regulatory
processes (e.g., purchasing, payroll, business processes along with the regulations that affect the scope, evidence requirements applicable to the IS audit, the
accounts payable, accounts receivable) business specific terminology will enable collection and preservation, IS auditor will provide relevant reporting as
and the role of IS in these processes clear and effective communications to the and frequency of audits to compliance with these requirements and
key stakeholders. enable stakeholders to take required
actions to ensure compliance.
137 © Copyright 2016 ISACA. All rights reserved. 138 © Copyright 2016 ISACA. All rights reserved.
How does Task 1.4 relate to each of the following How does Task 1.4 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K1.9 Knowledge of reporting and The IS auditor must be able to speak to all K1.10 Knowledge of audit quality Through the use of quality assurance
communication techniques (e.g., levels of the organization to explain the assurance systems and frameworks systems and frameworks (CSA, Lean Six
facilitation, negotiation, conflict results of the IS audit. The line Sigma, etc.), the IS auditor can be a
resolution, audit report structure, issue management through the board of directors facilitator of positive and effective change
writing, management summary, result each have their specific needs for to the organization.
verification) information related to the IS audit, and the K1.11 Knowledge of various types of audits Based on the type of audit approach used,
IS auditor must be able to tailor the (e.g., internal, external, financial) and the IS auditor as the subject matter expert
communications of these results methods for assessing and placing reliance can deliver effective and change-provoking
accordingly. on the work of other auditors or control communications to stakeholders.
entities
139 © Copyright 2016 ISACA. All rights reserved. 140 © Copyright 2016 ISACA. All rights reserved.
Communication of Results
The IS auditor communicates the audit results in an exit Before communicating results of the audit to senior
interview with management. management, the IS auditor should discuss the findings
During the exit interview, the IS auditor should: with the key process owners to gain an agreement on
o Ensure that the facts presented in the report are the findings and develop a course of corrective action.
correct. IS auditors should feel free to communicate issues or
o Ensure that the recommendations are realistic and concerns with senior management or the audit
cost-effective, and if not, seek alternatives through committee.
negotiation with auditee management.
o Recommend implementation dates for agreed upon
recommendations.
The IS auditor can present the results of the audit in an
executive summary or a visual presentation.
141 © Copyright 2016 ISACA. All rights reserved. 142 © Copyright 2016 ISACA. All rights reserved.
143 © Copyright 2016 ISACA. All rights reserved. 144 © Copyright 2016 ISACA. All rights reserved.
Audit Documentation
Audit documentation provides the necessary evidence Audit documentation should include, at a minimum, a
that support the audit findings and conclusions. record of the following:
It should be clear, complete, and easily retrievable. o Planning and preparation of the audit scope and
It is the property of the auditing entity and should only be objectives
accessible to authorized personnel. o Description and/or walk-throughs on the scoped audit
All audit documentation should be: area
o Dated o Audit program
o Initialed o Audit steps performed and audit evidence gathered
o Page-numbered ISACA IS Audit and o Use of services of other auditors and experts
Assurance Guideline 2203
o Self-contained Performance and Supervision
o Audit findings, conclusions and recommendations
o Properly labeled o Audit documentation relation with document
o Kept in custody identification and dates
145 © Copyright 2016 ISACA. All rights reserved. 146 © Copyright 2016 ISACA. All rights reserved.
147 © Copyright 2016 ISACA. All rights reserved. 148 © Copyright 2016 ISACA. All rights reserved.
149 © Copyright 2016 ISACA. All rights reserved. 150 © Copyright 2016 ISACA. All rights reserved.
151 © Copyright 2016 ISACA. All rights reserved. 152 © Copyright 2016 ISACA. All rights reserved.
153 © Copyright 2016 ISACA. All rights reserved. 154 © Copyright 2016 ISACA. All rights reserved.
How does Task 1.5 relate to each of the following How does Task 1.5 relate to each of the following
knowledge statements? knowledge statements?
Knowledge Statement Connection Knowledge Statement Connection
K1.7 Knowledge of evidence collection Just like the original audit, all IS audit K1.9 Knowledge of reporting and The IS auditor will document and report the
techniques (e.g., observation, inquiry, follow-up activities must be properly communication techniques (e.g., follow-up activities to all relevant
inspection, interview, data analysis, documented and linked to the existing/prior facilitation, negotiation, conflict resolution, stakeholders to ensure these parties are
forensic investigation techniques, audit findings and the respective assessed audit report structure, issue writing, aware of the status of IS audit findings
computer-assisted audit techniques corrective actions. Furthermore, the IS management summary, result verification) corrective action status.
[CAATs]) used to gather, protect and auditor needs to identify automated
K1.10 Knowledge of audit quality The IS auditor should review the quality
preserve audit evidence techniques that can be used to better
assurance systems and frameworks systems and frameworks used by the
perform the follow-up activities in a timely
organization to address the IS audit
manner.
findings and verify these methodologies
K1.8 Knowledge of different sampling As with the original IS audit, the IS auditor were appropriate and effective.
methodologies and other substantive/data will use recognized sampling techniques to
analytical procedures gather and analyze data during the
follow-up activities.
155 © Copyright 2016 ISACA. All rights reserved. 156 © Copyright 2016 ISACA. All rights reserved.
Follow-up Activities
How does Task 1.5 relate to each of the following Auditing is an ongoing ISACA IS Audit and
knowledge statements? process. Assurance Standard
1402 Follow-up Activities
Knowledge Statement Connection
K1.11 Knowledge of various types of audits Based on the type of audit (i.e.,
responsibility to ensure that
(e.g., internal, external, financial) and compliance, investigations, etc.), the IS management has taken appropriate corrective actions.
methods for assessing and placing reliance auditor will need to know how to document
on the work of other auditors or control and report the follow-up results. If more A follow-up program should be implemented to manage
entities recent audits have been performed that follow-up activities.
may indicate the corrective actions are
complete, the IS auditor will need to When the follow-up occurs depends on the criticality of
the audit findings.
determine if the work performed is
adequate to close the finding.
Results of the follow-up should be communicated to the
appropriate level of management.
157 © Copyright 2016 ISACA. All rights reserved. 158 © Copyright 2016 ISACA. All rights reserved.
161 © Copyright 2016 ISACA. All rights reserved. 162 © Copyright 2016 ISACA. All rights reserved.
The IS auditor must know the business process that the Knowledge of evidence collection techniques ensures
integrity and enables the accurate, correct and timely
analysis of data and information during the IS audit.
The IS auditor must understand the types of controls that Sampling is critical to ensuring the testing is
can be used to mitigate risk. representative of the populations in scope for the IS
Most, if not all, IS audits now have either legal (business audit.
contracts) or regulatory impacts. The IS auditor must master written and verbal
communications skills from planning through follow-up.
163 © Copyright 2016 ISACA. All rights reserved. 164 © Copyright 2016 ISACA. All rights reserved.
Discussion Question
The IS auditor must know how to use other quality An internal IS audit function is planning a general IS audit.
systems and frameworks within the IS audit engagement Which of the following activities takes place during the
and during follow-up activities, as appropriate. FIRST step of the planning phase?
The IS auditor must understand their role when using the A. Development of an audit program
work of others where permissible and appropriate. B. Review of the audit charter
C. Identification of key information owners
D. Development of a risk assessment
165 © Copyright 2016 ISACA. All rights reserved. 166 © Copyright 2016 ISACA. All rights reserved.
Discussion Question
Which of the following should an IS auditor use to detect
duplicate invoice records within an invoice master file?
A. Attribute sampling
B. Computer-assisted audit techniques (CAATs)
C. Compliance testing
D. Integrated test facility (ITF)