CISA Domain 1: Information Systems Auditing Process

INTRODUCTION
Md. Mushfiqur Rahman, CISA, ITIL-F

CEH, MCP,MCTS,MCITP,MCSA,MCSE,SCSA,
CCNA, OCP 9i/10g/11g
3/30/16
mushfique98@gmail.com
Domain - 1
The Process of Auditing Information Systems (14%)
3/30/16
Exam Relevance
Ensure that the CISA candidate
Provide audit services in accordance with IT audit standards
to assist the organization in protecting and controlling
information systems.
The content area in this chapter will represent approximately
14% of the CISA examination(approximately 28 questions).
3/30/16
Exam Relevance
3/30/16
Task & Knowledge Statements

Task and knowledge statements represent the basis
from which exam items are written.
Tasks: Tasks are the learning objectives that IS
auditors/CISA candidates are expected to know to
perform their job duties. It has 5 task statements.
knowledge statements: In order to perform all
of the tasks, the IS auditor/CISA candidate should
have a firm grasp of all the knowledge statements
contained within the CISA Review Manual
Chapter 1. There are 10 knowledge statements.
3/30/16
Tasks/ Objectives
Audit Process Area, Tasks
5 Tasks Statements:
1.1 Develop and implement a riskbased IT audit strategy in

compliance with IT audit standards to ensure that key areas are
included.
1.2 Plan specific audits to determine whether information
systems are protected, controlled and provide value to the
organization.
1.3 Conduct audits in accordance with IS audit standards,
guidelines and best practices to meet planned audit objectives.
1.4 Communicate emerging issues, potential risks, and audit
results to key stakeholders.
1.5 Advise on the implementation of risk management and control
practices within the organization, while maintaining independence.
3/30/16
Knowledge Statements
Process Area Knowledge Statements
Ten Knowledge Statements (contd.):
1.1 Knowledge of ISACA IT Audit and Assurance Standards,
Guidelines and Tools and Techniques, Code of Professional Ethics and
other applicable standards
1.2 Knowledge of risk assessment concepts, tools and techniques in
an audit context
1.3 Knowledge of control objectives and controls related to
information systems
1.4 Knowledge of audit planning and audit project management
techniques, including followup
1.5 Knowledge of fundamental business processes (e.g. Purchasing,
payroll, accounts payable, accounts receivable) including relevant IT
3/30/16
Process Area Knowledge Statements.

10 Knowledge Statements
1.6 Knowledge of applicable laws and regulations which affect the
scope, evidence collection and preservation, and frequency of audits
1.7 Knowledge of evidence collection techniques (e.g., observation,
inquiry, inspection, interview, data analysis) used to gather, protect
and preserve audit evidence
1.8 Knowledge of different sampling methodologies
1.9 Knowledge of reporting and communication techniques (e.g.,
facilitation, negotiation, conflict resolution, audit report Structure)
1.10 Knowledge of audit quality assurance systems and frameworks
3/30/16
1.2 Management of IS Audit Function
The audit function should be managed and led in a manner

that ensures that the diverse tasks performed and achieved by
the audit team will fulfill audit function objectives, while
preserving audit independence and competence. Furthermore,
managing the audit function should ensure value added
contributions to senior management regarding the efficient
management of IT and achievement of business objectives.
3/30/16
1.2.1 Organization of IS Audit Function
Audit charter (or engagement letter)
Stating managements responsibility and objectives for, and

delegation of authority to, the IS audit function
Outlining the overall authority, scope and responsibilities of the
audit function
Approval of the audit charter

Change in the audit charter
3/30/16
1.2.3 Audit Planning (continued)
Audit planning
Shortterm planning
Longterm planning
Things to consider
New control issues
Changing technologies
Changing business processes
Enhanced evaluation techniques
Individual audit planning
Understanding of overall environment
Business practices and functions
Information systems and technology
3/30/16
Audit Planning Steps

Gain an understanding of the businesss mission, objectives,
purpose and processes.
Identify stated contents (policies, standards, guidelines,
procedures, and organization structure)
Evaluate risk assessment and privacy impact analysis
Perform a risk analysis.
Conduct an internal control review.
Set the audit scope and audit objectives.
Develop the audit approach or audit strategy.
Assign personnel resources to audit and address engagement
logistics.
3/30/16
1.2.4 Effect of Laws and Regulations

(continued)
Regulatory requirements
Establishment
Organization
Responsibilities
Correlation to financial, operational and IT
audit functions
3/30/16
1.2.4 Effect of Laws and Regulations

Steps to determine compliance with external requirements:
Identify external requirements

Document pertinent laws and regulations
Assess whether management and the IS function have
considered the relevant external requirements
Review internal IS department documents that address
adherence to applicable laws
Determine adherence to established procedures
3/30/16
1.3 ISACA IT Audit and Assurance Standards and

Guidelines
As of 16 August 2010
Standards (16)
Guidelines 41 (G19 is cancelled)
Procedures (11)/ Audit and Assurance
Tools & Technique
3/30/16
Policy, Standards, Guidelines & Procedure
3/30/16
Definition: Standards, Guidelines & Procedure

Standards define mandatory requirements for IT audit
and assurance.
Guidelines provide guidance in applying IT Audit and
Assurance Standards. The objective of the IT Audit and
Assurance Guidelines is to provide further information on
how to comply with the IT Audit and Assurance
Standards.
Procedure/ Tools and Techniques provide examples
of procedures an IT audit and assurance professional
might follow. The objective of the IT Audit and Assurance
Tools and Techniques is to provide further information on
how to comply with the IT Audit and Assurance
Standards.
3/30/16
1.3.2 ISACA IT Audit and Assurance Standards Framework
IS Auditing Standards: 16
1. Audit charter
2. Independence
3. Professional Ethics and
Standards
4. Competence
5. Planning
6. Performance of audit work
7. Reporting
8. Follow-up activities
9. Irregularities and illegal acts

10. IT governance
11. Use of risk assessment in
audit planning
12. Audit Materiality
13. Using the Work of Other
Experts
14. Audit Evidence
15. IT Controls
16. E-commerce
3/30/16
1.3.3 ISACA IT Audit and Assurance Guidelines (continued)

IS Auditing Guidelines: 41 (421= 41, G19 is cancelled)
G1 Using the Work of Other Auditors
G2 Audit Evidence Requirement
G3 Use of Computer Assisted Audit Techniques (CAATs)
G4 Outsourcing of IS Activities to Other Organizations
G5 Audit Charter
G6 Materiality Concepts for Auditing Information Systems 1 September
G7 Due Professional Care
G8 Audit Documentation
G9 Audit Considerations for Irregularities and Illegal Acts
G10 Audit Sampling
G11 Effect of Pervasive IS Controls
G12 Organizational Relationship and Independence
G13 Use of Risk Assessment in Audit Planning
G14 Application Systems Review
G15 Audit Planning Revised
3/30/16
1.3.3 ISACA IT Audit and Assurance

Guidelines (continued)
G16 Effect of Third Parties on an Organization's IT Controls
G17 Effect of Non-audit Role on the IT Audit and Assurance Professionals
Independence
G18 IT Governance
G19 Irregularities and Illegal Acts 1 July 2002. Withdrawn 1 September 2008
G20 Reporting
G21 Enterprise Resource Planning (ERP) Systems Review
G22 Business-to-consumer (B2C) E-commerce Review
G23 System Development Life Cycle (SDLC) Review Reviews
G24 Internet Banking
G25 Review of Virtual Private Networks
G26 Business Process Reengineering (BPR) Project Reviews
G27 Mobile Computing
G28 Computer Forensics
G29 Post-implementation Review
G30 Competence
3/30/16
1.3.3 ISACA IT Audit and Assurance

Guidelines
G31 Privacy
G32 Business Continuity Plan (BCP) Review From It
Perspective
G33 General Considerations on the Use of the Internet
G34 Responsibility, Authority and Accountability
G35 Follow-up Activities
G36 Biometric Controls
G37 Configuration Management Process
G38 Access Controls
G39 IT Organization
G40 Review of Security Management Practices
G41 Return on Security Investment (ROSI)
G42 Continuous Assurance
3/30/16
1.3.4 ISACA IT Audit and Assurance Tools and

Techniques
IT Audit and Assurance Tools and Techniques: 11

P1 IS Risk Assessment
P2 Digital Signatures
P3 Intrusion Detection
P4 Viruses and other Malicious Code
P5 Control Risk Self-assessment
P6 Firewalls
P7 Irregularities and Illegal Acts
P8 Security AssessmentPenetration Testing and Vulnerability
Analysis
P9 Evaluation of Management Controls Over Encryption
Methodologies
P10 Business Application Change Control
P11 Electronic Funds Transfer (EFT)
3/30/16
IT Risk Assessment Quadrants

S
e
n
s
it
i
v
it
y
A
s
s
e
s
m
e
n
t
T
r
a
i
n
i
n
g
Quadrant II (Medium Risk)
Quadrant I (High Risk)
Suggested Action(s):
Accept
Mitigate
Transfer
Mitigate
Quadrant IV (Low Risk)
Quadrant III (Medium Risk)
Accept
Accept
Mitigate
Transfer
3/30/16
Vulnerability assessment Rating
ISACA IS Auditing Standards and Guidelines
ISACA Auditing Procedures

Procedures developed by the ISACA
Standards Board provide examples.
The IS auditor should apply their own
professional judgment to the specific
circumstances.
3/30/16
1.5 Internal Control (continued)
Internal Controls: Policies, procedures,

practices and organizational structures
implemented to reduce risks
3/30/16
Internal Control (continued)
Components of Internal Control System

Internal accounting controls
Operational controls
Administrative controls
3/30/16

Internal Control Objectives
Safeguarding of information technology assets
Compliance to corporate policies or legal
requirements
Authorization/input
Accuracy and completeness of processing of
transactions
Output
Reliability of process
Backup/recovery
Efficiency and economy of operations
3/30/16
Classification of Internal Controls
Preventive controls
Detective controls
Corrective controls
3/30/16
IS Control Objectives: Control objectives

in an information systems environment
remain unchanged from those of a manual
environment. However, control features
may be different. The internal control
objectives, thus need, to be addressed in a
manner specific to IS-related processes
3/30/16

IS Control Objectives (contd)
Safeguarding assets
Assuring the integrity of general operating system
environments
Assuring the integrity of sensitive and critical application
system environments through:
Authorization of the input
Accuracy and completeness of processing of
transactions
Reliability of overall information processing activities
Accuracy, completeness and security of the output
Database integrity
3/30/16

Ensuring the efficiency and effectiveness of operations
Complying with requirements, policies and procedures,
and applicable laws
Developing business continuity and disaster recovery
plans
Developing an incident response plan
3/30/16

COBIT: COBIT supports IT governance and management by providing
a framework to ensure that IT is aligned with the business, IT enables
the business and maximizes benefits. IT resources are used
responsibly, and IT risks are managed appropriately.
A framework with 34 highlevel control objectives
Planning and organization

Acquisition and implementation
Delivery and support
Monitoring and evaluation
Use of 36 major IT related standards and regulations
3/30/16
General Control Procedures (continued)
apply to all areas of an organization and

include policies and practices established
by management to provide reasonable
assurance that specific objectives will be
achieved.
3/30/16
General Control Procedures (continued)
Internal accounting controls directed at accounting operations

Operational controls concerned with the daytoday operations
Administrative controls concerned with operational efficiency
and adherence to management policies
Organizational logical security policies and procedures
Overall policies for the design and use of documents and
records
Procedures and features to ensure authorized access to assets
Physical security policies for all data center
3/30/16
IS Control Procedures
Strategy and direction

General organization and management
Access to data and programs
Systems development methodologies and change control
Data processing operations
Systems programming and technical support functions
Data processing quality assurance procedures
Physical access controls
Business continuity/disaster recovery planning
Networks and communications
Database administration
3/30/16
3/30/16
Definition of Auditing
Systematic process by which a competent, independent

person objectively obtains and evaluates evidence regarding
assertions about an economic entity or event for the
purpose of forming an opinion about and reporting on the
degree to which the assertion conforms to an identified set
of standards.
3/30/16
Purpose of an Audit
An audit is simply a review of past history. The IS auditor is
expected to follow the defined audit process, establish audit
criteria, gather meaningful evidence, and render an independent
opinion about internal controls. The audit involves applying various
techniques for collecting meaningful evidence, and then
performing a comparison of the audit evidence against the
standard for reference.
Your key to success in auditing is to accurately report your
findings, whether good or bad or indifferent. A good auditor will
produce verifiable results. No one should ever come in behind you
with a different outcome of findings. Your job is to report what
the evidence indicates.
3/30/16
Classification of audits:
Internal audits and assessments This involves auditing your
own organization to discover evidence of what is occurring inside
the organization (self-assessment). These have restrictions on their
scope, and the findings should not be shared outside the
organization. The findings cannot be used for licensing.
External audits External audits involve your customer auditing
you, or you auditing your supplier. The business audits its customer
or supplier, or vice versa. The goal is to ensure the expected level
of performance as mutually agreed upon in their contracts.
Independent audits Independent audits are outside of the
customer-supplier influence. Third-party independent audits are
frequently relied on for licensing, certification, or product approval.
A simple example is independent consumer reports.
3/30/16
Classification of audits:
Financial audits
Operational audits
Integrated audits
Administrative audits
Information systems audits
Specialized audits
Forensic audits
3/30/16
Audit Concept (continued...)

The IS auditor should understand the various types of audits that can be performed, internally
or externally, and the audit procedures associated with each:
Financial audits-The purpose of a financial audit is to assess the correctness of an
organization's financial statements. A financial audit will often involve detailed, substantive
testing. This kind of audit relates to information integrity and reliability.
Operational audits- An operational audit is designed to evaluate the internal control Structure
in a given process or area. IS audits of application controls or logical security systems are
examples of operational audits.
integrated audits-An integrated audit combines financial and operational audit steps. It is also
performed to assess the overall objectives within an organization, related to financial
information and assets' safeguarding, efficiency and compliance. An integrated audit can be
performed by external or internal auditors and would include compliance tests of internal
controls and substantive audit steps.
Administrative audits-These are oriented to assess issues related to the efficiency of
operational productivity within an organization.
3/30/16
Audit Concept
IS audits-This Process collects and evaluates evidence to determine whether the
information system and related resources adequately safeguard assets, maintain data
and system integrity. provide relevant and reliable information, achieve organizational
goals effectively, consume resources efficiently, and have in effect internal controls that
provide reasonable assurance and business. operational and control objectives will be
met and that undesired events will be prevented, or detected and corrected, in a timely
manner.
In short: Any audit that encompasses review and evaluation (wholly or partly) of
automated information processing systems, related non-automated processes and the
interfaces between them.
Specialized auditsWithin the category of IS audits, there are a number of specialized
reviews that examine areas such as services performed by third parties and forensic
auditing. Because businesses are becoming increasingly reliant on third-party service
providers, it is important that internal control be evaluated in these environments.
3/30/16
Audit Concept
Forensic audits-Traditionally, forensic auditing has been defined as an audit

specialized in discovering, disclosing and following up on frauds and crimes.
The primary purpose of such a review is the development of evidence for
review by law enforcement and judicial authorities. In recent years, the
forensic professional has been called upon to participate in investigations
related to corporate fraud and cybercrime. In cases where computer
resources may have been misused, further investigation is necessary to gather
evidence for possible criminal activity that can then be reported to appropriate
authorities. A computer forensic investigation includes the analysis of
electronic devices, such as computers, phones, personal digital assistants
(PDAs). disks, switches, routers. Hubs and other electronic equipment.
3/30/16
Auditors Responsibility
As an auditor, you are expected to fulfill a fiduciary relationship. A

fiduciary relationship is simply one in which you are acting for the
benefit of another person and placing the responsibilities to be fair
and honest ahead of your own interest. An auditor must never put
the auditee interests ahead of the truth. People inside and outside of
the auditee organization will depend on your reports to make
decisions.
The auditor is depended on to advise about the internal status of an
organization. Audits are different from inspections or assessments
because the individual performing the audit must be both objective
and impartial. This is a tremendous responsibility.
3/30/16
Comparing Audits to
Assessments
Audit An audit generates a report considered to represent a high
assurance of truth. Audits are used in asset reporting engagements.
Assessment An assessment is less formal and frequently more
cooperative with the people/
objects under scrutiny. Its purpose is to see what exists and to
assess value based on its relevance.
The assessment report is viewed to have lower value (moderate-tolow value) when
compared to an audit.
The primary goal of an assessment is to help the user/staff work
toward improving their score. However, the audit is the score that
actually counts for regulatory compliance purposes.
3/30/16
Comparing Audits to
Assessments
Auditor The auditor is the competent person performing the audit.
Auditee The organization and people being audited are collectively
called the auditee.
Client The client is the person or organization with the authority to
request the audit. A client may be the audit committee, external
customer, internal audit department, or regulatory group. If the client
is internal to the auditee, that client assumes the auditee role.
3/30/16
Auditors Independence
Independent means that you are not related professionally, personally, or
organizationally to the subject of the audit. You cannot be independent if the audits
outcome results in your financial gain or if you are involved in the auditees
decisions or design of the subject being audited.
an Independence Test
Here is a simple self assessment to help you determine your level of independence:
Are you auditing something you helped to develop?
Are you free of any conflicts, circumstances, or attitudes toward the auditee
that might affect the audit outcome?
Is your personal life free of any relationships, off-duty behavior, or financial

gain that could be perceived as affecting your judgment?
Do you have any organizational relationships with the auditee, including

business deals, financial obligations, or pending legal actions?
Do you have a job conflict? Does the organizational structure require your
position to work under the executive in charge of the area being audited?
Did you receive any gifts of value or special favors?
3/30/16
Audit Programs
Based on the scope and the objective of the

particular assignment
IS auditors perspectives
Security (confidentiality, integrity and availability)

Quality (effectiveness, efficiency)
Fiduciary (compliance, reliability)
Service and Capacity
3/30/16
General audit procedures
Understanding of the audit area/subject

Risk assessment and general audit plan
Detailed audit planning
Preliminary review of audit area/subject
Evaluating audit area/subject
Compliance testing
Substantive testing
Reporting(communicating results)
Followup
3/30/16
Procedures for testing & evaluating IS controls
Use of generalized audit software to survey the

contents of data files
Use of specialized software to assess the
contents of operating system parameter files
Flowcharting techniques for documenting
automated applications and business process
Use of audit reports available in operation
systems
Documentation review
Observation
3/30/16
Audit Methodology
A set of documented audit procedures designed
to achieve planned audit objectives
Composed of
Statement of scope
Statement of audit objectives
Statement of work programs
Set up and approved by the audit management
Communicated to all audit staff
3/30/16
Typical audit phases

1. Audit subject
Identify the area to be audited
2. Audit objective
Identify the purpose of the audit
3. Audit scope
Identify the specific systems, function or
unit of the organization
3/30/16
Typical audit phases (Contd)

4. Pre-audit planning
Identify technical skills and resources needed
Identify the sources of information for test or
review
Identify locations or facilities to be audited
3/30/16

5. Audit procedures and steps for data
gathering
Identify and select the audit approach
Identify a list of individuals to interview
Identify and obtain departmental policies,
standards and guidelines
Develop audit tools and methodology
3/30/16
6.
7.
8.
Procedures for evaluating test/review result

Procedures for communication
Audit report preparation
Identify followup review procedures
Identify procedures to evaluate/test operational
efficiency and effectiveness
Identify procedures to test controls
Review and evaluate the soundness of
documents, policies and procedures.
3/30/16
Typical Audit Phases Summary

Identify
the area to be audited
the purpose of the audit
the specific systems, function or unit
of the organization to be included in
the review.
technical skills and resources needed
the sources of information for tests or
review such as functional flowcharts,
policies, standards,
procedures and prior audit work
papers.
locations or facilities to be audited.
select the audit approach to verify
and test the controls
list of individuals to interview
obtain departmental policies, standards
and guidelines for review
Develop
audit tools and methodology to test and
verify control
procedures for evaluating the test or
review results
procedures for communication with
management
Report
follow-up review procedures

procedures to evaluate/test
operational efficiency and effectiveness
procedures to test controls
Review and evaluate the soundness of

documents, policies and procedures
3/30/16
WorkPapers (WPs) (Contd)

What are documented in WPs?
Audit
Audit
Audit
Audit
Audit
plans
programs
activities
tests
findings and incidents
3/30/16
WorkPapers
Do not have to be on paper
Must be
Dated
Initialized
Pagenumbered
Relevant
Complete
Clear
Selfcontained and properly labeled
Filed and kept in custody
3/30/16
Fraud Detection
Managements responsibility
Benefits of a welldesigned internal
control system
Deterring frauds at the first instance
Detecting frauds in a timely manner
Fraud detection and disclosure

Auditors role in fraud prevention and
detection
3/30/16
Audit Risk
Audit risk is the risk that the information/

financial report may contain material error that
may go undetected during the audit.
A riskbased audit approach is used to assess
risk and assist with an IS auditors decision to
perform either compliance or substantive testing.
3/30/16
Audit Risks: Types
Inherent risk
Control risk
Detection risk
Sampling risks
Nonsampling risks
Overall audit risk

Business risks
Technological risks
Operational risks
Residual risks
Audit risks
3/30/16
Audit Risks: Types
Inherent risk: Inherent risk is the risk that an error exists in the
absence of any compensating controlsan error which could become
significant when combined.
Control risk: Control risk is the risk that a material error exists that
will not be prevented or detected in a timely manner by the system of
internal controls.
Detection risk: Detection risk since the use of improper testing

procedures may not detect all material errors.
Sampling risks These are the risks that an auditor will falsely accept or
erroneously reject an audit sample (evidence).
Non sampling risks These are the risks that an auditor will fail to
detect a condition because of not applying the appropriate procedure or
using procedures inconsistent with the audit objective (detection fault).
3/30/16
Audit Risks: Types
Business risks These are risks that are inherent in the business or
industry itself. They may be regulatory, contractual, or financial.
Technological risks These are inherent risks of using automated

technology. Systems do fail.
Operational risks These are the risks that a process or procedure will
not perform correctly.
Residual risks These are the risks that remain after all mitigation
efforts are performed.
Overall audit risk: Is the combination of detection, control and

inherent risks for a given audit assignment.
3/30/16
Riskbased Approach Overview
Gather Information and Plan

Obtain Understanding of Internal
Control
Perform Compliance Tests
Perform Substantive Tests
Conclude the Audit
3/30/16
Materiality
An auditing concept regarding the importance of

an item of information with regard to its impact or
effect on the functioning of the entity being
audited
3/30/16
Risk Assessment Techniques
Enables management to effectively allocate

limited audit resources
Ensures that relevant information has been
obtained
Establishes a basis for effectively managing the
audit department
Provides a summary of how the individual audit
subject is related to the overall organization
and to business plans
Audit Objectives
It is the Specific goals of the audit
Compliance with legal & regulatory requirements

Confidentiality
Integrity
Reliability
Availability
3/30/16
Compliance vs. Substantive Testing
Compliance test
Determines whether controls are in compliance with
management policies and procedures
Substantive test
Tests the integrity of actual processing
A procedure used during accounting audits to check for errors

in balance sheets and other financial documentation. A
substantive test might involve checking a random sample of
transactions for errors, comparing account balances to find
discrepancies, or analysis and review of procedures used to
execute
and
record
transactions.
Auditors gather evidence about these assertions by
undertaking substantive procedures, which may include:
3/30/16
physically examining inventory on balance date as

evidence that inventory shown in the accounting
records actually exists (validity assertion); AND
making inquires of management about the
collectibility of customers' accounts as evidence
that trade debtors is accurate as to its valuation.
Thus, substantive procedures are performed by

an auditor to detect whether there are any
material misstatements in accounting
transactions.
3/30/16
Examples of substantive procedures are:
Bank confirmation
Accounts receivable confirmation
Inquire of management regarding the collectibility of customer accounts
Match customer orders to invoices billed
Match collected funds to invoices billed
Observe a physical inventory count
Confirm inventories not on-site
Match purchasing records to inventory on hand or sold
Confirm the calculations on an inventory valuation report
Observe fixed assets
Match purchase orders and supplier invoices to fixed asset records
Confirm accounts payable
Examine accounts payable supporting documents
Confirm debt
Analytical analysis of assets, liabilities, revenue, and expenses
3/30/16
3/30/16
Evidence
It is a requirement that the auditors conclusions must be
based on sufficient, competent evidence.
Independence of the provider of the

evidence
Qualification of the individual providing
the information or evidence
Objectivity of the evidence
Timing of evidence
3/30/16
Techniques for gathering evidence:
Review IS organization structures

Review IS policies and procedures
Review IS standards
Review IS documentation
Interview appropriate personnel
Observe processes and employee
performance
3/30/16
Interviewing and Observing Personnel
Actual functions
Actual processes/procedures
Security awareness
Reporting relationships
3/30/16
Sampling (continued)
General approaches to audit sampling:
Statistical sampling: An objective method of determining the

sample size and selection criteria. This assessment will be
represented as a percentage. The results of a valid statistical
sample are mathematically quantifiable. (the probability of error
must be objectively quantified confidence coefficient)
Nonstatistical sampling: Uses auditor judgment to determine
the method of sampling, the number of items that will be examined
from a population (sample size) and which items to select (sample
selection). These decisions are based on subjective judgment as to
which items/transactions are the most material and most risky.
3/30/16
3/30/16
3/30/16
Methods of sampling used by auditors:
Attribute sampling: Attribute sampling, generally applied in
compliance testing situations, deals with the presence or
absence of the attribute and provides conclusions that are
expressed in rates of incidence.
Variable sampling: Variable sampling, generally applied in
substantive testing situations, deals with population
characteristics that vary, such as monetary values and weights
(or any other measurement), and provides conclusions related
to deviations from the norm.
3/30/16
Attribute Sampling
Stoporgo sampling: A sampling model that helps prevent excessive

sampling of an attribute by allowing an audit test to be stopped at the
earliest possible moment. Stoporgo sampling is used when the IS
auditor believes that relatively few errors will be found in a population.
Discovery Sampling: A sampling model that can be used when the
expected occurrence rate is extremely low. Discovery sampling is most
often used when the objective of the audit is to seek out (discover)
fraud circumvention of regulations or other irregularities.
Variable sampling
Stratified mean per unit: A statistical model in which the population

is divided into groups and samples are drawn from the various groups.
Stratified mean sampling is used to produce a smaller overall sample
size relative to un-stratified mean per unit. Examples are teenagers
from the ages of 13 to 19, people from the ages of 20 to 29, people
from the ages of 30 to 39, and those who are male or female, smokers
or nonsmokers, and so on.
Un-stratified mean per unit: A statistical model in which a sample mean
is calculated and projected as an estimated total.
Difference estimation: A statistical model used to estimate the total

difference between audited values and book (unaudited) values based on
differences obtained from sample observations. Un-stratified mean per unit
Difference estimation
3/30/16
Statistical sampling terms: (contd.)

Confident coefficient
Level of risk
Precision
Expected error rate
Sample mean
Sample standard deviation
Tolerable error rate
Population standard deviation
3/30/16
Statistical sampling terms: (contd.)
Confident coefficient: Confidence coefficient (also referred to as confidence

leve1 or reliability factor)A percentage expression (90 percent, 95 percent, 99
percent, etc.) of the probability that the characteristics of the sample are a true
representation of the population.
Level of risk: Equal to one minus the confidence coefficient. For example, if
the confidence coefficient is 95 percent, the level of risk is five percent (100
percent minus 95 percent).
Precision: Set by the IS auditor, it represents the acceptable range difference
between the sample and the actual population. For attribute sampling, this
figure is stated as a percentage. For variable sampling, this figure is stated as a
monetary amount or a number.
Expected error rate: An estimate stated as a percent of the errors that may
exist. The greater the expected error rate, the greater the sample size.
3/30/16
Statistical sampling terms:

Sample mean: The sum of a1l sample values, divided by the size of the
sample. The sample mean measures the average value of the sample.
Sample standard deviation: Computes the variance of the sample values
from the mean of the sample. Sample standard deviation measures the
spread or dispersion of the sample values.
Tolerable error rate: Describes the maximum misstatement or number of
errors that can exist without an account being materiality misstated.
Tolerable rate is used for the planned upper limit of the precision range for
compliance testing.
Population standard deviation: A mathematical concept that measures
the relationship to the normal distribution. The greaterthe standard
deviation, the larger the sample size.
3/30/16
Key steps in choosing a sample

Determine the objectives of the test
Define the population to be sampled
Determine the sampling method, such as
attribute versus variable sampling.
Calculate the sample size
Select the sample
Evaluating the sample from an audit
perspective.
3/30/16
ComputerAssisted Audit Techniques. Contd.
CAATs enable IS auditors to gather information

independently
CAATs include:
Generalized audit software (GAS)

Utility software
Test data
Application software for continuous
online audits
Audit expert systems
3/30/16
Need for CAATs
Evidence collection
Functional capabilities
Functions supported
Areas of concern
3/30/16
Examples of CAATs used to collect evidence

CAATS as a continuous online approach
3/30/16
ComputerAssisted Audit Techniques.

Contd.
Development of CAATs
Documentation retention
Access to production data
Data manipulation
3/30/16
Evaluation of Strengths and Weaknesses
Assess evidence
Evaluate overall control structure
Evaluate control procedures
Assess control strengths and weaknesses
3/30/16
Judging Materiality of Findings
Materiality is a key issue

Assessment requires judgment of the potential
effect of the finding if corrective action is not
taken
3/30/16
Communicating Audit Results

Exit interview
Correct facts
Realistic recommendations
Implementation dates for agreed
recommendations
Presentation techniques
Executive summary
Visual presentation
3/30/16
Audit report structure and contents
An introduction to the report

The IS auditors overall conclusion and opinion
The IS auditors reservations with respect to
the audit
Detailed audit findings and recommendations
A variety of findings
Limitations to audit
Statement on the IS audit guidelines followed
3/30/16
Management Implementation of Recommendations
Auditing is an ongoing process

Timing of followup
3/30/16
Audit Documentation
Contents of audit documentation

Custody of audit documentation
Support of findings and conclusions
3/30/16
Control SelfAssessment (CSA), Contd.

The Primary objective is to leverage the
internal audit function by shifting some of the
control monitoring responsibilities to the
functional areas.
A management technique
A methodology
In practice, a series of tools
3/30/16
Control SelfAssessment (CSA), Contd.
Implementation of CSA
Facilitated workshops
Hybrid approach
3/30/16
Control Self Assessment

Benefits of CSA
Early Detection of Risk
More Effective and improved internal controls
Highly Motivated Employee
Improved Audit Rating process
Assurance to Top Management and Stakeholders
Disadvantages of CSA
It may be regarded as an additional workload
Failure to act on improvement suggestions could
damage employee morale.
3/30/16
Control Self Assessment

IS Auditors Role in CSAs: When CSA in place, auditors becomes internal
control professionals and assessment facilitators.
Technology Drivers for CSA Program: Some of the technology drives
includes combination of hardware and software to support CSA selection,
and the use of an electronic meeting system and computersupported
decision aids to facilitate group decision making.
Traditional vs. CSA Approach: The traditional approach can be
summarized as any approach in which the primary responsibility for
analyzing and reporting on internal control and risk is assigned to auditors,
and to a lesser extent, controller departments and outside consultants. The
CSA Approach, emphasizes management and accountability over developing
and monitoring internal controls of an organizations sensitive and critical
business process.
3/30/16
3/30/16
Emerging Changes in IS Audit Process
New Topics:
Automated Work Papers

Integrated Auditing
Continuous Auditing
3/30/16

Automated Work Papers (Contd)
Risk analysis
Audit programs
Results
Test evidences
Conclusions
Reports and other complementary
information
3/30/16

Controls over automated work papers:
Access to work papers

Audit trails
Approvals of audit phases
Security and integrity controls
Backup and restoration
Encryption for confidentiality
3/30/16
Integrated Auditing
Integrated Auditing
process whereby appropriate audit disciplines are combined
to assess key internal controls over an operation, process or
entity
Focuses on risk to the organization (for an internal
auditor)
Focuses on the risk of providing an incorrect or
misleading audit opinion (for external auditor
3/30/16
Integrated Auditing Typical process:
Identification of relevant key controls

Review and understanding of the design of key
controls
Testing that key controls are supported by the
IT system
Testing that management controls operate
effectively
A combined report or opinion on control risks,
design and weaknesses
Continuous Auditing
Continuous Auditing: A methodology that enables
independent auditors to provide written assurance
on a subject matter using a series of auditors
reports issued simultaneously with, or a short period
of time after, the occurrence of events underlying
the subject matter
3/30/16
Continuous Auditing vs. Continuous Monitoring
Continuous Monitoring
Managementdriven
Based on automated procedures to meet
fiduciary responsibilities
Continuous Auditing
Auditdriven
Done using automated audit procedures
3/30/16
Continuous Auditing Enabler for the Application

of Continuous Auditing
New information technology

Increased processing capabilities
Standards
Artificial intelligence tools
3/30/16
IT Techniques in a Continuous Auditing Environment

Transaction logging
Query tools
Statistics and data analysis (CAAT)
Database management systems (DBMS)
Data warehouses, data marts, data mining.
Artificial intelligence (AI)
Embedded audit modules (EAM)
Neural network technology
Standards such as Extensible Business
Reporting Language
3/30/16
Continuous Auditing Prerequisites
A high degree of automation

An automated and reliable informationproducing
process
Alarm triggers to report control failures
Implementation of automated audit tools
Quickly informing IS auditors of anomalies/errors
Timely issuance of automated audit reports
Technically proficient IS auditors
Availability of reliable sources of evidence
Adherence to materiality guidelines
Change of IS auditors mindset
Evaluation of cost factors
3/30/16
Continuous Auditing
Advantages
Instant capture of internal control problems
Reduction of intrinsic audit inefficiencies
Disadvantages
Difficulty in implementation
High cost
Elimination of auditors personal judgment and
evaluation
3/30/16
Practice Question
Practice Questions (contd.)
Q. What does fiduciary responsibility mean?
A. To use information gained for personal interests without
breaching confidentiality of the client.
B. To act for the benefit of another person and place the
responsibilities to be fair and honest ahead of your own interest.
C. To follow the desires of the client and maintain total
confidentiality even if illegal acts are discovered. The auditor shall
never disclose information from an audit in order to protect the
client.
D. None of the above.
3/30/16
Practice Question
Answer is B. Accountants, auditors, and lawyers
act on behalf of their clients best interests unless
doing so places them in violation of the law. It is
the highest standard of duty implied by law for a
trustee and guardian.
3/30/16
Practice Question
Q: What are the different types of audits?
A. Forensic, accounting, verification, regulatory
B. Integrated, operational, compliance,
administrative
C. Financial, SAS-74, compliance, administrative
D. Information systems, SAS-70, regulatory,
procedural
3/30/16
Practice Question
Answer is B. All of the audit types are valid
except procedural, SAS-74, verification, and
regulatory. The valid audit types are financial,
operational (SAS-70), integrated (SAS-94),
compliance, administrative, forensic, and
information systems. A forensic audit is used to
discover information about a possible crime.
3/30/16
Practice Question
Q: How does the auditor derive a final
opinion?
A. From evidence gathered and the auditors
observations
B. By representations and assurances of
management
C. By testing the compliance of language used in
organizational policies
D. Under advice of the audit committee
3/30/16
Practice Question
Q: Answer is A. A final opinion is based on
evidence gathered and testing. The purpose of an
audit is to challenge the assertions of
management. Evidence is gathered that will
support or disprove claims.
3/30/16
Practice Question
Q: Which of the following BEST describes the
early stages of an IS audit?
A. Observing key organizational facilities
B. Assessing the IS environment
C. Understanding the business process and
environment applicable to the review
D. Reviewing prior IS audit reports
3/30/16
Answer
11C: Understanding the business process and
environment applicable to the review is most
representative of what occurs early on in the
course of an audit. The other choices relate to
activities actually occurring within this process.
3/30/16

Q: In performing a riskbased audit,
which risk assessment is completed
initially by the IS auditor?
A. Detection risk assessment
B. Control risk assessment
C. Inherent risk assessment
D. Fraud risk assessment
3/30/16
Answer
12C: Inherent risks exist independently of an audit and
can occur because of the nature of the business. To
successfully conduct an audit, it is important to be aware of
the related business processes. To perform the audit the IS
auditor needs to understand the business process, and by
understanding the business process, the IS auditor better
understands the inherent risks.
3/30/16

Q: While developing a riskbased audit program, on
which of the following would the IS auditor MOST
likely focus?
A. Business processes
B. Critical IT applications
C. Operational controls
D. Business strategies
3/30/16
Answer
13A: A riskbased audit approach focuses on the
understanding of the nature of the business and
being able to identify and categorize risk. Business
risks impact the longterm viability of a specific
business. Thus, an IS auditor using a riskbased
audit approach must be able to understand
business processes.
3/30/16

Q: Which of the following types of audit risk
assumes an absence of compensating controls
in the area being reviewed?
A. Control risk
B. Detection risk
C. Inherent risk
D. Sampling risk
3/30/16
Answer
14C: The risk of an error existing that could be material or
significant when combined with other errors encountered during
the audit, there being no related compensating controls, is the
inherent risk. Control risk is the risk that a material error exists
that will not be prevented or detected in a timely manner by the
system of internal controls. Detection risk is the risk of an IS
auditor using an inadequate test procedure that concludes that
material errors do not exist, when they do. Sampling risk is the
risk that incorrect assumptions are made about the characteristics
of a population from which a sample is taken.
3/30/16

Q: An IS auditor performing a review of an application's controls finds a
weakness in system software that could materially impact the application. The
IS auditor should:
A. disregard these control weaknesses since a system software review is

beyond the scope of this review.
B. conduct a detailed system software review and report the control
weaknesses.
C. include in the report a statement that the audit was limited to a review of
the application's controls.
D. review the system software controls as relevant and recommend a detailed
system software review.
3/30/16
Answer
15D: The IS auditor is not expected to ignore control weaknesses
just because they are outside the scope of a current review.
Further, the conduct of a detailed systems software review may
hamper the audit's schedule and the IS auditor may not be
technically competent to do such a review at this time. If there are
control weaknesses that have been discovered by the IS auditor,
they should be disclosed. By issuing a disclaimer, this responsibility
would be waived. Hence, the appropriate option would be to review
the systems software as relevant to the review and recommend a
detailed systems software review for which additional resources
may be recommended.
3/30/16

Q: The PRIMARY use of generalized audit
software (GAS) is to:
A. test controls embedded in programs.
B. test unauthorized access to data.
C. extract data of relevance to the audit.
D. reduce the need for transaction vouching.
3/30/16
Answer
16C: Generalized audit software facilitates direct access to and
interrogation of the data by the IS auditor. The most important advantage
of using GAS is that it helps in identifying data of interest to the IS auditor.
GAS does not involve testing of application software directly. Hence, GAS
indirectly helps in testing controls embedded in programs by testing data.
GAS cannot identify unauthorized access to data if this information is not
stored in the audit log file. However, this information may not always be
available. Hence, this is not one of the primary reasons for using GAS.
Vouching involves verification of documents. GAS could help in selecting
transactions for vouching. Using GAS does not reduce transaction vouching.
3/30/16
Q: Which of the following is MOST effective

for implementing a control selfassessment
(CSA) within business units?
A. Informal peer reviews
B. Facilitated workshops
C. Process flow narratives
D. Data flow diagrams
3/30/16
Answer
17B: Facilitated workshops work well within
business units. Process flow narratives and data
flow diagrams would not be as effective since they
would not necessarily identify and assess all
control issues. Informal peer reviews similarly
would be less effective for the same reason.
3/30/16

Q: The FIRST step in planning an audit is to:
A. define audit deliverables.
B. finalize the audit scope and audit objectives.
C. gain an understanding of the business objectives.
D. develop the audit approach or audit strategy.
3/30/16
Answer
18C: The first step in audit planning is to gain an
understanding of the business's mission, objectives and
purpose, which in turn identifies the relevant policies,
standards,
guidelines,
procedures,
and
organization
structure. All other choices are dependent upon having a
thorough understanding of the business's objectives and
purpose.
3/30/16

Q: The approach an IS auditor should
use to plan IS audit coverage should
be based on:
A. risk.
B. materiality.
C. professional skepticism.
D. sufficiency of audit evidence.
3/30/16
Answer
19A: Standard S5, Planning, establishes
standards and provides guidance on planning an
audit. It requires a riskbased approach.
3/30/16
Practice Questions
Q: A company performs a daily backup of critical data
and software files, and stores the backup tapes at an
offsite location. The backup tapes are used to restore
the files in case of a disruption. This is a:
A. preventive control.
B. management control.
C. corrective control.
D. detective control.
3/30/16
Answer
110C: A corrective control helps to correct or minimize the impact of
a problem. Backup tapes can be used for restoring the files in case of
damage of files, thereby reducing the impact of a disruption.
Preventive controls are those that prevent problems before they arise.
Backup tapes cannot be used to prevent damage to files and hence
cannot be classified as a preventive control. Management controls
modify processing systems to minimize a repeat occurrence of the
problem. Backup tapes do not modify processing systems and hence
do not fit the definition of a management control. Detective controls
help to detect and report problems as they occur. Backup tapes do not
aid in detecting errors.
3/30/16
Question
&
Answer
3/30/16
THIS IS A COMFORTABLE POINT TO

SAY.
THANK YOU
AND BEST OF LUCK
3/30/16

CISA Domain 1: Information Systems Auditing Process

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

CISA Domain 1: Information Systems Auditing Process

Enviado por

Direitos autorais:

Formatos disponíveis

INTRODUCTION

Md. Mushfiqur Rahman, CISA, ITIL-F

Task & Knowledge Statements

1.1 Develop and implement a riskbased IT audit strategy in

Process Area Knowledge Statements.

1.2 Management of IS Audit Function

The audit function should be managed and led in a manner

1.2.1 Organization of IS Audit Function

Audit charter (or engagement letter)

Stating managements responsibility and objectives for, and

Approval of the audit charter

1.2.3 Audit Planning (continued)

Audit Planning Steps

1.2.4 Effect of Laws and Regulations

1.2.4 Effect of Laws and Regulations

Identify external requirements

1.3 ISACA IT Audit and Assurance Standards and

Policy, Standards, Guidelines & Procedure

Definition: Standards, Guidelines & Procedure

1.3.2 ISACA IT Audit and Assurance Standards Framework

9. Irregularities and illegal acts

1.3.3 ISACA IT Audit and Assurance Guidelines (continued)

1.3.3 ISACA IT Audit and Assurance

1.3.3 ISACA IT Audit and Assurance

1.3.4 ISACA IT Audit and Assurance Tools and

IT Audit and Assurance Tools and Techniques: 11

IT Risk Assessment Quadrants

Quadrant II (Medium Risk)

Quadrant I (High Risk)

Quadrant IV (Low Risk)

Quadrant III (Medium Risk)

Vulnerability assessment Rating

ISACA IS Auditing Standards and Guidelines

ISACA Auditing Procedures

1.5 Internal Control (continued)

Internal Controls: Policies, procedures,

Internal Control (continued)

Components of Internal Control System

Internal Control (continued)

Internal Control (continued)

Classification of Internal Controls

Internal Control (continued)

IS Control Objectives: Control objectives

Internal Control (continued)

Internal Control (continued)

Internal Control (continued)

Planning and organization

Use of 36 major IT related standards and regulations

Internal Control (continued)

General Control Procedures (continued)

apply to all areas of an organization and

Internal Control (continued)

General Control Procedures (continued)

Internal accounting controls directed at accounting operations

Internal Control (continued)

Strategy and direction

Systematic process by which a competent, independent

Audit Concept (continued...)

Forensic audits-Traditionally, forensic auditing has been defined as an audit

As an auditor, you are expected to fulfill a fiduciary relationship. A

Are you auditing something you helped to develop?

Is your personal life free of any relationships, off-duty behavior, or financial

Do you have any organizational relationships with the auditee, including