2. Learning Objectives
By the end of this introductory domain, you will be able to:
• Describe CISA
• Demonstrate your understanding of the ISACA organization
• Discuss the history of CISA
• Understand the current CISA syllabus
• Describe the value of CISA
• List the requirements for certification and how to maintain the certification
• Outline the structure of CISA exams
3. Introduction to CISA
Introduced by ISACA in 1978, CISA has grown both in stature,
professional offering, and global influence. It is a widely recognized
certification because of the following features:
● CISA is the preferred certification for information systems control,
assurance, and security professionals.
● CISA is designed with the aim of attracting information systems
auditors, people concerned with technology security, educators,
and even CIOs.
CISA®
CERTIFIED INFORMATION SYSTEMS AUDITORTM
4. ISACA
ISACA formerly stood for Information Systems Audit and Control Association. However, the organization is known by
the acronym ISACA only to reflect the range of governance professionals within IT that it caters for. ISACA was
founded in 1969 as a nonprofit organization and currently (in 2019) has over 159,000 members in 188 countries.
Following are the certifications provided by ISACA:
Certified Information Systems Auditor®
(CISA®)
Certified Information Security Manager®
(CISM®)
Certified in the Governance of Enterprise
IT® (CGEIT®)
Certified in Risk and Information Systems
Control (CRISC®)
ISACA has developed COBIT 5, RISK IT
, and Val IT
, which it continually updates.
!✔
5. History of CISA
Introduced in 1978
First exam monitored in 1981
• Approved by the United States Defense Department as part of its assurance framework
In 2011, there
was a change in
curriculum: six
domains to five
domains
6. Current CISA Syllabus
The CISA syllabus (2019) is divided into five domains. The exam has 150 multiple choice questions. The duration of the exam is four hours.
Beginning June 2019, ISACA is offering continuous testing, with a 365-day exam eligibility period to take your exam. Following is a summary
of the CISA domains:
Domain Topic
Exam
Weightage
Domain 1 Information Systems Auditing Process 21%
Domain 2 Governance and Management of IT 17%
Domain 3 Information Systems, Acquisition, Development, and Implementation 12%
Domain 4 Information Systems Operations and Business Resilience 23%
Domain 5 Protection of Information Assets 27%
Total 100%
7. Value of CISA
Numerous benefits of a CISA
designation
Globally accepted
and recognized
certification
Increased value at
workplace
Achieve a high professional
standard
Higher earnings and greater career
growth
Increased
confidence
Trust and
recognition for
expertise
8. CISA Certification
The steps to obtain a CISA certification are:
• Pass CISA exam:
Pass the exam with a minimum of 450 marks
• Apply for certification:
• Minimum five years experience needed in IS Audit Domain areas
Note: Certification Application has to be within five years of sitting for the exam
• Waivers possible. See ISACA website for details.
• Agree to the Code of Professional Ethics
• Cohere with the Continuing Professional Education (CPE) Program
• Comply with the IS auditing standards
9. CISA Examination
CISA exams are prepared with the aim of gauging and testing hands-on skills in Information System Control and Audit.
Exam title Certified Information Systems Auditor (CISA®)
Exam duration Four hours to answer 150 multiple-choice questions covering five practice areas
Exam type Computer-based
Question type Multiple-choice questions
Pass requirements A candidate must receive a score of 450 or higher to pass the exam
Scaled score
A scaled score is a conversion of a candidate’s raw score on an exam to a common scale.
A candidate’s scores are reported as a scaled score.
ISACA uses and reports scores on a common scale from 200 to 800.
!✔
12. Learning Objectives
By the end of this domain, you’ll be able to:
Plan an audit to determine whether information systems are protected, controlled, and provide
value to the organization
Conduct an audit in accordance with IS audit standards and a risk‐based IS audit strategy
Communicate audit progress, findings, results, and recommendations to stakeholders
Conduct an audit follow‐up to evaluate whether risks have been sufficiently addressed
Evaluate IT management and monitoring of controls
Utilize data analytics tools to streamline an audit process
Provide consulting services and guidance to the organization in order to improve the quality and
control of information systems
Identify opportunities for process improvement in the organization's IT policies and practices
14. Part A: Planning
The following topics are covered in Part A:
• IS Audit standards, guidelines, and codes of ethics
• Business processes
• Types of controls
• Risk-based audit planning
• Types of audits and assessments
16. Information System Auditing Process
Part A: Planning 1.1
IS Audit Standards, Guidelines,
and Codes of Ethics
17. IS Audit Standards, Guidelines, and Codes of Ethics
Introduction
Credibility of an audit is based, in part, on use of commonly accepted standards.
ISACA is the global pioneer of IS Assurance and Audit guidelines, Tools and Techniques, Standards, and Code of
Professional Ethics.
ISACA standards provide a benchmark for IS audit.
18. Main Areas of Coverage
The main areas covered under this knowledge statement include:
The CISA Exam will test your understanding of the application of Standards and Guidelines.
ISACA IS Audit
and Assurance
Tools and
Techniques
ISACA IS
Audit and
Assurance
Guidelines
ISACA IS
Audit and
Assurance
Standards
Framework
ISACA Code
of
Professional
Ethics
The main
areas of
coverage
Relationship
between
Guidelines, Tools
and Techniques,
and Standards
19. Categories of Standards and Guidelines
□ This category applies
to all assignments and
contains guiding
principles for IS
assurance.
□ It covers:
o Ethics
o Independence
o Objectivity
o Due care
o Knowledge
o Competence
o Skill
□ This category deals
with the conduct of the
IS audit and assurance
assignments.
□ It covers:
o Planning
o Scoping
o Risk
o Materiality
o Supervision
o Exercise of
professional
judgement
o Due care
□ This category covers:
o Reports
o Information
o Means of
communication
General
Performance Reporting
20. ISACA IS Audit and Assurance Standards
1001 Audit Charter
1002 Organizational
Independence
1003 Professional
Independence
1004 Reasonable Expectation
1005 Due Professional Care
1006 Proficiency
1007 Assertion
1008 Criteria
1201 Engagement Planning
1202 Risk Assessment in
Planning
1203 Performance and
Supervision
1204 Materiality
1205 Evidence
1206 Using the Work of Other
Experts
1207 Irregularity and Illegal Acts
1401 Reporting
1402 Follow up Activities
General Performance Reporting
21. ISACA ISAudit and Assurance Guidelines
Independence
2003 Professional
Independence
2004 Reasonable Expectation
2005 Due Professional Care
2006 Proficiency
2007 Assertion
2008 Criteria
2001 Audit Charter 2201 Engagement Planning
2002 Organizational 2202 Risk Assessment in
Planning
2203 Performance and
Supervision
2204 Materiality
2205 Evidence
2206 Using the Work of Other
Experts
2207 Irregularity and Illegal Acts
2208 Sampling
2401 Reporting
2402 Follow up Activities
General Performance Reporting
22. ISACA Code of Professional Ethics
ISACA set forth a code governing the professional conduct and ethics of all certified IS auditors and members of the
association. The members and certification holders shall:
Support the implementation and encourage
compliance with appropriate standards,
procedures, and controls for information systems.
Perform their duties with due diligence and
professional care in accordance with professional
standards and best practices
Maintain the privacy and confidentiality of
information obtained in the course of their duties
unless disclosure is required by a legal authority.
Such information shall not be used for personal
benefit or released to inappropriate parties.
Maintain competency in their respective fields
and agree to undertake only those activities that
they reasonably expect to complete with
professional competence.
Inform appropriate parties about the results of
work performed, revealing all significant facts
known to them
Support the professional education of stakeholders
to enhance their understanding of information
systems security and control.
Serve in the interest of stakeholders in a lawful
and honest manner while maintaining high
standards of conduct and character and not
engage in acts discreditable to the profession.
23. ISACA Code of Professional Ethics
Failure to comply with the code of professional ethics can result in an investigation into a
member’s and/or certification holder's conduct and, ultimately, in disciplinary measures.
24. ISACA IT Audit and Assurance Standards Framework Objective
The objectives of IS audit and assurance standards are to inform:
IS auditors
of the bare minimum level of
performance required to meet the
professional responsibilities set in
the Professional Code of Ethics
The management
of the profession’s requirement
regarding the work of audit
practitioners
The CISA certification
holders
that failure to meet these
standards results in a review of
their conduct by the ISACA board
of directors, which may ultimately
result in a disciplinary action
25. ISACA ISAudit and Assurance Guidelines
• ISACA IS Audit and Assurance guidelines provide additional information on how to comply with
the ISACA Information Technology Assurance and Audit Standards.
• The IS Auditor should use professional judgment and be able to justify any differences.
• Guideline documents are identified by a prefix G, followed by the number, for example, “G10.”
There are 42 categories of guidelines.
26. ISACA ISAudit Guidelines
Using the Work of Other
Auditors
Audit Evidence Requirement
Use of Computer-Assisted
Audit Techniques (CAATs)
Outsourcing of IS Activities to
Other Organizations
Audit Charter
Materiality Concepts for
Auditing Information Systems
Due Professional Care
Audit Documentation
Audit Considerations for
Irregularities and Illegal Acts
Audit Sampling
Effect of Pervasive IS Controls
Organizational Relationship
and Independence
Use of Risk Assessment in
Audit Planning
Application Systems Review
Planning
Effect of Third Parties on an
Organization’s IT Controls
Effect of Non-audit Role on
the IS Auditor’s Independence
IT Governance
Irregularities and Illegal Acts
Reporting
Enterprise Resource Planning
(ERP) Systems Review
Business-to-Consumer (B2C)
E-commerce Review
System Development Life
Cycle (SDLC) Review
Internet Banking
Responsibility, Authority, and
Accountability
Follow-up Activities
Biometric Controls
Configuration Management
Access Controls
IT Organization
Review of Security
Management Practices
Return on Security Investment
(ROSI)
Continuous Assurance
Review of Virtual Private
Networks
Business Process Reengineering
(BPR) Project Reviews
Mobile Computing
Computer Forensics
Post-implementation Review
Competence
Privacy
Business Continuity Plan (BCP)
Review from IT Perspective
General Considerations on the
Use of the Internet
27. ISACA IS Audit and Assurance Tools and Techniques
IS Audit and
Assurance
tools and
techniques
White
papers IS Audit
and
Assurance
programs
COBIT 5
family of
products
Tools and techniques are
listed under www.isaca.org/itaf
IS Audit and
Assurance tools and
techniques provide
additional guidance to
IS audit and assurance
professionals. Reference
books
28. ISACA IS Audit and Assurance Tools and Techniques
ISACA has Standards and Guidelines related to Audit (ITAF™):
Section 2200
Section 2400
Section 2600
Section 3000
Section 3200
Section 3400
Section 3600
Section 3800
General Standards
Performance Standards
Reporting Standards
IT Assurance Guidelines
Enterprise Topics
IT Management Processes
IT Audit and Assurance Processes
IT Audit and Assurance Management
30. Business Processes
Explanation
A business process is an inter-related set of cross-functional activities or events that result in the delivery of a
specific product or service to a customer.
An IS auditor must understand and evaluate the business processes they are auditing.
An Internal audit function must be independent and report to the audit committee or to the board of directors.
31. Audit Charter
Audit charters are high-level documents that define the purpose, authority, and responsibility of the internal audit activity.
Charter
Grants and assigns authorization, responsibility, and accountability to the auditor
Guides the auditor to get an approval
from the board of directors or the audit
committee or senior management in their
absence
Defines the scope of audit
function’s activities
32. Fundamental Business Processes
Explanation
Understanding the underlying business process that is audited
Understanding the role that IS play in these processes
IS auditing involves assessment of IS-related controls and understanding the control objectives
Identifying key controls that help achieve a well-controlled environment, according to standards
33. Audit Planning
• Gaining an understanding of the clients and its business
• Establishing priorities
• Determining an audit strategy
• Determining the type of evidence to collect, based on the risk
levels
• Assigning personnel resources for the audit
• Scheduling with the client to coordinate activities
The result of a well researched and completed audit plan is an audit program.
• Audit planning is the first step of the audit process.
The auditor’s responsibilities during the planning phase include:
34. Fundamental Business Processes: Transaction Examples
Examples
A bank may have various
transactions
Mobile
banking
ATM
transactions
Over the counter transactions
(For example: deposits,
withdrawals)
A chain store may have PoS (Point of Sale)
transactions with credit card information,
or cash extranet transactions with
suppliers (Electronic Data Interchange)
35. Using the Services of Other Auditors and Experts
IS audit and assurance professionals should:
• Consider using the work of other experts when there are constraints which would impair work performance
or potential gains in the quality of engagement.
• Assess and approve the adequacy of the other experts’ professional qualifications, competencies, relevant
experience, resources, independence, and quality‐control processes prior to the engagement.
• Assess, review, and evaluate the work of other experts as part of the engagement, and document the
conclusion on the extent of use and reliance on their work.
37. Relationship between Standards, Guidelines, Tools and Techniques
Standards
They are mandatory.
Tools and Techniques
They provide examples of
steps that the auditor may
follow in audits.
Guidelines
They provide assistance on
how Information Systems
Auditor (ISA) can
implement standards in
audits.
□ ISA must use professional judgment while applying the guidelines, tools, and techniques.
□ Legal and regulatory requirements may sometimes be more stringent than the standards.
□ The ISA should ensure compliance with the stringent legal or regulatory requirements.
40. Internal Controls
They are the policies, procedures, practices, and structures incorporated by an organization to reduce risk.
They can be manual or automated.
Internal Controls are an enterprise’s internal processes implemented to achieve specific objectives while
minimizing risk.
They provide reasonable assurance to management that business objectives will be achieved and undesirable
events will be prevented, detected, and corrected.
41. Internal Controls
Internal controls have two broad objectives:
Internal
Control
Objectives
Increase the likelihood of an objective
or a desirable event
Decrease the likelihood of an
undesirable event occurring
• Ensure that business
requirements are clearly
documented and understood
• Ensure software delivery without
time and cost overruns
• Ensure testing before release
Examples of
Objectives
• Virus outbreak
• Unfulfilled project objectives
Examples of
Undesirable
Events
42. Internal Controls
Internal Controls consider two things
What can be
achieved?
What can be evaded?
Internal controls procedures have two categories
General control
procedures
Information
system control
procedures
44. Classification of Internal Controls
Preventive
Controls
• Predict and prevent problems before they occur
• Monitor input controls and events as a preventive measure
• Examples:
o Segregation of duties
o Maker-checker/four-eyes principle
o Input and access controls (physical and logical)
Corrective
Controls
o Encryption of data at rest and in transit
Detective
Controls
45. Classification of Internal Controls
Preventive
Controls
Corrective
Controls
• Minimize the impact of a threat and rectify the cause of a problem
• Correct detected errors
• Root cause analysis, followed by changes to minimize future occurrences
• Examples:
o Disaster recovery and business continuity planning
o Incident response
o Backups, to ensure recovery by restoring data
Detective
Controls
o Reruns of failed processes
46. Classification of Internal Controls
Preventive
Controls
• Controls to detect and report intentional and unintentional errors after they occur
• Report incidence of errors, attacks, and omissions as they occur
• Examples:
o Logs
o Error messages
o Hash totals
Corrective
Controls
o Rechecking of calculations
o Scrutiny of reports
o Code review
o Internal audit function
o Logical and physical access logging, such as application audit trails, database
security logging, server room access control, and door logging to know details of
the person and time.
Detective
Controls
47. General Controls
They enable IT functioning for the achievement of corporate goals such as:
• Controls over data center and networks
• Access control
• Segregation of duties
• SDLC and Change Management
• Physical security
General controls are the policies and procedures involving all areas of an organization, including IT
infrastructure and support services.
48. General Controls
Internal
Accounting
Controls
Operational
Controls
Safeguarding
of assets and
reliability of
financial
records
Day-to-day
functions and
activities to
accomplish
business
objectives
Supports
operational
controls,
operational
efficiency, and
adherence to
management
Safeguarding
of assets and
ensuring
proper
utilization of
resources
Facilities, data
centers,
servers, IT
infrastructure,
and access
control
policies
Administrative
Controls
Organizational
policies and
procedures
Physical and
logical security
policies
49. ISControl Objectives
IS control objectives
are high-level
objectives that
management may
use for effective
control of IT
processes
A statement of the preferred purpose
or result to be attained by applying
controls around information system
processes
Made of procedures, policies,
organizational structures, and
practices
Intended to reasonably assure that
enterprise objectives will be achieved
while undesired events are detected,
corrected, or prevented
51. ISControl Objectives
Management plays an important role in regulating IS control objectives:
Selecting the control
objectives that can be
easily implemented and
are most appropriate to
the organization’s policies Cognizant of the risk
involved in
non-implementation of
some of the applicable
control objectives
Manner of implementation
52. ISControl Objectives: Examples
Ensure integrity of the
system such as Operating
System integrity
Ensure integrity of the sensitive
and critical application systems
Ensure safeguarding of assets
Ensure effectiveness and
efficiency of operations
Ensure proper authentication
process for users
Ensure availability of service
through Disaster Recovery
Plan and Business
Continuity Planning
53. ISControl Objectives: Examples
Ensure availability of IT assets
by having BCP and DR plans
Ensure integrity of application systems by input authorization, input
validation, accuracy and completeness of data processing, database
integrity, accuracy, completeness, and security of output controls
Protect computer systems
from improper access
Ensure that inputs are
validated
Ensure database
confidentiality, integrity,
and availability
54. ISControl Objectives: Examples
Ensure outsourced IT processes and services
have clearly defined SLAs, organizational assets
are protected, and business objectives are met
Ensure integrity of the sensitive
and critical application systems
Safeguard information assets
by implementing physical and
logical access controls
Ensure SDLC processes are established,
maintained, and followed for repeatable
and reliable development of software
applications to meet business objectives
Ensure integrity and reliability of systems by
implementing change management controls
Ensure availability of IT services by
developing effective and efficient
Disaster Recovery and Business
Continuity plans
55. ISControls
• IS control procedures include the following:
Strategy and
direction of the IT
function
General
organization and
management of
the IT function
System
development
procedures
Operation
procedures
System
programming and
system support
departments
Quality Assurance
(QA) processes
Physical access
controls
Business
Continuity
(BCP)
Communications
and networks
Access to
Information
Technology
programs, data
and resources
Database administration
Database
administration
Detective and
protection
mechanisms
57. Enterprise Architecture
Source: http://searchcio.techtarget.com/definition/enterprise-architecture
It determines if IT is
aligned with
enterprise
objectives and
delivers value to
business, keeping in
view the complexity
of an organization.
It determines how
an organization can
most effectively
achieve its current
and future
objectives.
An Enterprise
Architecture (EA) is a
conceptual blueprint
that defines the
structure and
operations of an
organization.
58. Zachman FrameworkTM
• It is a method to define an enterprise.
Two classifications are combined:
The first is what,
how, when, who,
where, and why
The second is
identification,
definition,
representation,
specification,
configuration, and
instantiation
59. First classification
includes
fundamentals of
communication of
the primitive
interrogatives.
Second
classification is
derived from
reification, the
transformation of
an abstract idea
into an
instantiation,
initially postulated
by ancient Greek
philosophers.
It is a schema with an intersection between two
historical classifications.
Zachman FrameworkTM for Enterprise Architecture
It includes:
• What
• How
• When
• Who
• Where
• Why
It includes:
• Identification
• Definition
• Representation
• Specification
• Configuration
• Instantiation
(Source: https://www.zachman.com/about-the-zachman-framework)
60. The Zachman framework is not a methodology, but it is a structure.
It is a two-dimensional framework that combines six basic interrogatives (What, How, Where, Who, When, and Why).
The framework intersects with different perspectives: Executives, Business Managers, System Architects, Engineers,
and Technicians.
It enables holistic understanding of the enterprise by looking at the organization from various viewpoints.
Zachman FrameworkTM for Enterprise Architecture
61. Security architecture
with a layered
framework, similar to
Zachman
Each layer expands in
detail to move from a
policy to the
implementation of
technology
The primary
characteristic of the
SABSA model is that
everything must be
derived from an analysis
of the business
requirements for
security
Ongoing “manage
and measure”
phases of the
lifecycle
Sherwood Applied Business Security Architecture
(SABSA)
Provides a chain of
traceability through the
various layers:
contextual, conceptual,
logical, physical,
component and
operational
Risk-driven enterprise
information security
architectures
64. Risk-based Audit Planning
Explanation
Identification of key enterprise risks requires understanding of the organization, its environment, and control
objectives
Type and nature of transactions the entity engages in
Flow of this transaction and how it is captured into information systems
65. Risk Assessment Terms
Asset Risk Vulnerability Impact
Valuable
resource you
are trying to
protect
The potential
that a chosen
action or
activity will
lead to a loss
Negative
action that
may harm a
system
Weakness that
allows a threat
to cause harm
The severity of
the damage,
sometimes
expressed in
dollars
Threat
66. Inherent, Control, Detection, and Overall Audit Risk
Different types of risk:
Inherent
Risk
Probability of an
error existing
that might be
material
assuming
compensating
controls do not
exist. It
• exists
irrespective
of an audit
• is contributed
by the nature
of a business
Control
Risk
Probability that
a material
error exists
which will not
be prevented
or detected on
a timely basis
by the system
of internal
controls
Detection
Risk
Probability
that the
Information
Systems
Auditor (ISA)
used
inadequate
checks and
surmises that
material
errors are
absent, when
in fact, they
are present
Overall
Audit Risk
Summation of
all audit risk
groups for
each control
objective
68. Assurance Definitions
• Target of evaluation (TOE): This is the information security deliverable, the object for which assurances are
made.
• Assurance activities: These activities depend on the method of assessment. Various methods of assessment
are discussed later.
• Security target (ST): This is the set of security specifications and requirements used to evaluate the target of
evaluation.
• Security protection profile (SPP): Similar to a security target, this profile is much broader in scope. Unlike an
ST, an SPP does not apply to any one particular deliverable but represents the security needs of a given
individual or group of individuals.
70. Risk Assessment and Risk Analysis
Explanation
Overall audit plan should focus on business risks related to use of IT.
Area under audit represents the audit scope.
Auditor to use risk-analysis techniques to establish critical area to focus on in the audit scope (focus to be on
high-risk areas).
Limited audit resources require this kind of focus in drawing the audit plan.
A proper audit report is critical.
Follow up on issues found in the audit is also critical.
71. Main Areas of Coverage
Risk Analysis
Audit
Methodology
Risk-Based
Auditing
Audit Risk
and
Materiality
Risk
Assessment
and Treatment
Risk
-Assessment
techniques
Reporting
techniques Follow-up
The main
areas of
coverage
72. Risk Analysis
1
2
3
Risk is defined as the mixture of the likelihood of an
event and its magnitude (ISO/IEC 73)
IT Risk is specifically the enterprise risk associated with
the ownership, use, operation, influence, involvement
and adoption of Information Technology within a
business (ISACA’s IT Risk Framework).
Risk analysis assists an auditor in recognizing
vulnerabilities and risks, and how they can define
controls to be put in place to ensure such risks are
mitigated.
73. Definitions of Risk
The probable
frequency and
probable magnitude
of future loss
(source: An
Introduction to
Factor Analysis of
Information Risk
(FAIR), Risk
Management Insight,
LLC)
The potential that a
given threat will
exploit
vulnerabilities of an
asset or group of
assets and thereby
cause harm to the
organization (source:
ISO 27005)
74. Factor Analysis of Information Risk (FAIR)
Loss
• Productivity
• Resources utilized (for adverse
events)
• Replacement of damaged and
defective assets
• Legal and regulatory costs
• Loss of competitive advantage
• Reputational loss
Value
• Criticality (impact on
smooth functioning)
• Cost
• Sensitivity
Threat agents
• Access
• Misuse
• Disclosure
• Unauthorized modification
□ FAIR is a probabilistic approach.
□ It focuses on what is probable, rather than what is possible.
□ It can be used to complement other methodologies.
75. Risk Analysis
● It helps the auditor identify threats and
risks within the IS environment.
● It assists in planning the audit by
evaluating controls in place.
● The helps an auditor be in a position to
know the audit objective.
● Decision making is easier as a risk-based
methodology is used.
From the Information System audit’s view, risk analysis aids in the following:
Perform
Periodic Risk
Reevaluation
(BO/RA/RM/RT)
Identify
Business
Objectives
(BO)
Identify
information
assets
supporting
the BOs
Perform Risk
Assessment (RA)
[Threat
–Vulnerability
–Impact]
Perform Risk
Management
(RM) [Map
Risks with
controls in
place]
Perform Risk
Treatment (RT)
[Treat significant
risks not
mitigated by
existing controls]
76. Calculating Risk
Exposure Factor The Exposure Factor (EF) is the percentage of value an asset lost due to an incident
Single Loss Expectancy The Single Loss Expectancy (SLE) is the cost of a single loss. SLE is the Asset Value (AV) times the Exposure Factor (EF)
Annual Rate of Occurrence The Annual Rate of Occurrence (ARO) is the number of losses you suffer per year
Annualized Loss Expectancy The Annualized Loss Expectancy (ALE) is your yearly cost due to a risk. It is calculated by multiplying the Single Loss
Expectancy (SLE) times the Annual Rate of Occurrence (ARO)
77. Calculating Risk
Risk Formulas
SL
E
Asset Value
(AV)
Ris
k
AL
E
Exposure Factor
(EF)
Probability of
the Risk
Cost of the
Eventuality
Single Loss
Expectancy (SLE)
Annual Rate of
Occurrence (ARO)
78. Risk-based Audit Approach
The risk-based audit approach is based on a concept in which
determination of areas that should be audited is based on
the perceived level of risk.
Residual Risk – This represents management’s risk appetite.
Normally, controls would be implemented to mitigate risk to
acceptable levels (i.e. residual risk).
A report or
information
might contain
an error that is
material
Might be
undetected
through the
audit period
Audit risk is the risk that
79. Risk-based Auditing
Risk Assessment
Risk Assessment Risk Evaluation
● Risk assessment drives the audit process.
● The identification of risk, prioritization of audit areas, and allocation of audit
resources should be based on risk assessment.
● Evaluation of the risk management process must be conducted at every stage to
ensure that risk is being managed within the risk appetite of the organization.
80. Risk Assessment and Treatment
Risk Assessment
Risk Assessment Risk Treatment
● Risks assessments involve identifying, prioritizing, and quantifying risks
against criteria for risk tolerance and objectives relevant in the organization.
● Risk assessments should be carried out regularly to ensure it addressed
changes in security, risk situation, and environment, especially when key
changes takes place.
81. Risk Assessment and Treatment
Risk Assessment Risk Treatment
Risk Assessment Risk Treatment
● Risk Mitigation – Applying adequate controls to lower the risks
● Risk acceptance – Objectively and knowingly not taking action
● Risk avoidance – Evading risks by ensuring actions that cause the risk are prevented
● Risk transfer/sharing – Sharing the risk with third parties such as suppliers or insurance companies
82. Risk Assessment Methods
• Different methods are employed to perform risk assessments. Examples: Scoring System Method and Judgmental
Method
A combination of methods may
be used
Methods may develop and change
over time
All methods depend on subjective judgment
Auditor should evaluate appropriateness
of any chosen risk methodology
Scoring System Method
and Judgmental
Method
85. Types of Audits
Knowledge Statement 1.11
Knowledge of various types of audits (e.g., internal, external, financial) and methods
for assessing and placing reliance on the work of other auditors or control entities.
86. Types of Audits
Explanation
Internal vs. External
Specific domain (i.e. financial)
Reliance on other auditors
Following are the various types of audits:
87. Internal vs. External Audits
Internal
● Pre-audits
● Compliance audits
● Post incident
● Often targeted
External
● Compliance
● Regulatory
● General
88. Specific Domain
Specific Domain Audits
PCI DSS
Network Systems
IT
Regulatory
Financial
Web or E-commerce
Systems
Database Systems
89. Reliance on Other Auditors
• Past audit results
• Incorporating other
audits
• Comparison
90. Audit Factors
Audit Subject
The area to be
audited
Audit Objective
The purpose of
the audit
Audit Scope
Constrains the audit
to a specific system,
function, or unit, or
period of time
92. Part B: Execution
The following topics are covered in Part B:
• Audit Project Management
• Sampling Methodology
• Audit Evidence Collection Techniques
• Data Analytics
• Reporting and Communication Techniques
• Quality Assurance and Improvement of the Audit Process
95. Audit Objectives
Audit objectives are the specific goals that the audit process must accomplish.
The audit objectives assure the following:
• Compliance with legal and regulatory requirements
• Protection of the confidentiality, integrity, and availability of information and IT resources
96. Audit Phases
The whole auditing process can generally be divided into the following three different phases:
Planning
Fieldwork and
documentation
Reporting and
follow-up
100. Audit Program
• An Audit Work Program represents the audit plan and strategy. It has audit procedures, scope and
objectives.
• The Audit Work Program:
• Is a guide for documenting various audit steps performed and the types and extent of evidential matters
reviewed;
• Provides a trail of the process used; and
• Provides accountability for performance.
• IS Audit Process Steps:
• Plan – assess risks, develop audit program: objectives, procedures (Guidance 5)
• Obtain and evaluate evidence – strengths and weaknesses of controls
• Prepare and present report – draft and final report
• Follow-up – corrective actions taken by management (Guidance 35)
104. Applicable Laws and Regulations for IS Audit
Part B: Execution 1.6
Knowledge of the applicable laws
and regulations that affect the
scope, evidence collection and
preservation, and frequency of
audit.
105. Fraud Irregulaties and Illegal Acts
Explanation
Fraud investigations or legal proceedings require the integrity of the evidence be maintained throughout its
life cycle (called chain of custody in forensic evidence).
Legal requirements include law, regulation and/or contractual agreements placed on Audit (or IS Audit) or the
Auditee. Management and audit personnel in an organization should be aware of external requirements for
computer system practices and controls, and how data is processed, transmitted and stored. There is a need to
comply with different laws raising legal requirements that impact on audit objectives and audit scope.
106. Main Areas of Coverage
The main areas covered under this knowledge statement include:
Eviden
ce
Audit Documentation
Continuous Auditing Legal Requirements
107. HIPAA and HITECH
The Health Insurance Portability
& Accountability Act of 1996
(HIPAA)
PHI (Personal Health
Information)
Health Information Technology
for Economic and Clinical Health
Act (HITECH)
Redefining what a breach is
Creating stricter notification
standards
109. Cryptography Standards
ISO/IEC
7064 Data processing – Check character systems Published 2003
ISO/IEC
9796
Digital signature schemes giving message recovery 3 parts published 2002 2006, under revision
ISO/IEC
9797 Message authentication codes (MACs) 2 parts published 1999 2002, under revision, 3rd part is upcoming
ISO/IEC
9798 Entity authentication | 6 parts published 1997 2005
ISO/IEC
10116
Modes of operation for an n-bit block cipher algorithm | Published 2006
ISO/IEC
10118
Hash-functions | 4 parts published 1998 2004 (2006), under revision
ISO/IEC
11770
Key management 4 parts published 1996 2006, under revision
110. Balanced Score Card
A type of
structured report
used as a
performance
management tool
Used to track
execution of
activities
Actually
measures
performance
against an
expected value
Should define
measurements
from four
perspectives
Financial
Customer
Internal
Process
Innovation/
Learning
113. Sampling Methodologies
Compliance testing involves gathering evidence to test the enterprise’s compliance with control procedures.
Substantive testing is evidence gathered to evaluate the integrity of individual transactions, data, or other
information.
Presence of adequate internal controls (established through compliance testing) minimizes the number of
substantive tests that have to be done.
Conversely, weaknesses in internal controls will increase the need or number of substantive tests.
Sampling is done when it is not logical to test or verify all transactions by the consideration of the time and cost
needed. (i.e. the population which consists of all items in the area being examined).
115. Sampling
A sample is a subset of population members used to infer characteristics about a population based on the
results of examining the characteristics of a sample of the population.
A basic understanding of sampling is necessary for the ISA.
A population consists of the entire
group of items that need to be
examined.
The sample must represent as
closely as possible the
characteristics of the whole
population.
Sampling is done, when verifying all
transactions or events (population)
in the audit scope is not feasible.
The sample drawn must be a correct
representation of the population,
since all the conclusions are drawn
from the sample.
116. General Approaches to Sampling
Sampling can either be statistical or non-statistical.
Statistical
Sampling
● Uses objective judgment to determine:
o Sample size
o Selection criteria
o Sample precision
o Reliability or confidence level
● This can be used to infer population
characteristics from the sample and is
the preferred method.
Non-statis
tical
Sampling
● Uses subjective judgment to
determine:
o Method of sampling
o Sample size
o Sample selection
● This cannot be used to not infer
population characteristics from the
sample and is not a preferred method
of sampling.
117. General Approaches to Sampling
Statistical
Sampling
● Uses statistical principles of probability
and confidence level to draw a sample
representative of the population
● ISA decides the sample precision (how
closely the sample should represent
the population) and the confidence
level (the number of times in 100 that
the sample will represent the
population)
Non-statis
tical
Sampling
● Uses the judgment of the ISA to
determine the sample selection and
size
● Increased possibility of sampling
risk—the risk that the analysis /
conclusions will be wrong because the
sample is not representative of the
population
● This technique may be used when
drawing an inference about the
population is not necessary; say, when
a handful of large-value credit limits
are picked up for scrutiny from a
population of extremely low-value
credit limits
118. Attribute and Variable Sampling
Sampling methods are of two types, attribute sampling and variable sampling.
Attribute
sampling
● Also known as proportional sampling
● Deals with the presence or absence of
an attribute
● Generally applied for compliance
testing, to detect the presence or
absence of an attribute and draw
conclusions from the rate of incidence.
● Conclusions expressed in rates of
incidence
Types:
● Attribute sampling or fixed sample size
attribute sampling or frequency
estimation
● Stop-or-go sampling
● Discovery sampling
Variable
sampling
● Used to estimate the value of some
variable, example verification of
transactions, review of processing in
programs used in the preparation of
financial statements.
● Also known as dollar estimation or Mean
value estimation sampling or Quantitative
sampling
● Applied in substantive testing and deals
with characteristics that vary, monetary
values, measures and in drawing
conclusions regarding deviations from the
norm.
● Provides conclusions related to deviations
from the norm.
Types:
● Stratified mean per unit
● Un-stratified mean per unit
● Difference estimation
119. Attribute Sampling
Fixed Sample-Size
Attribute /
Frequency-Estimat
e Sampling
Stop-or-go
Sampling
• Aim is to
determine the
rate of
occurrence: How
many, how often?
• Example:
Approval
signature on user
account creation
forms
Discovery
Sampling
• Adopted when
the auditor
expects less
number of errors
• Sample size is
small and can be
kept to minimum
• Adopted when
errors are
expected to be a
rare occurrence
• Aim is to
discover:
o fraud
o bypassing rules
by manipulation
(by splitting a
large order value
into several
smaller ones to
avoid having to
obtain approval
of a higher
authority)
120. Variable Sampling
Stratified sampling produces a higher confidence level for the same sample size, or may result in a lower sample size
for the same confidence level, while other attributes are kept equal.
Stratified Mean
Per Unit
Unstratified
Mean Per
Unit
• Population is
divided into
strata, and
samples are
drawn from
various strata
• Stratification, if
properly applied,
reduces the
sample size
relative to
unstratified mean
per unit
Difference
Estimation
• Mean is
calculated for the
entire sample,
without
stratification and
extrapolated to
the entire
population
• It increases the
sample size
• Technique used
to estimate the
difference
between the
audited values
and the book
values, on the
basis of
differences
observed in the
sample
121. Sampling Terms
• The probability that the sample is representative of the
population, in relation to the characteristic observed,
expressed as a percentage
• 95% confidence coefficient implies 95% chance that the
sample is representative of the population
• Depending on assessment of the effectiveness of
internal controls, the ISA will vary the sample size
• The greater the confidence level the ISA desires, the
larger will be the sample size
• The opposite of the confidence coefficient, the risk that the
sample is not representative of the population
• If the confidence coefficient is 95%, the level of risk is 5%
Confidence Coefficient / Level / Reliability Factor Level of Risk
(Applicable to both attribute and variable sampling)
122. Sampling Terms
• The range of difference between the sample and
population acceptable to the ISA
• This is expressed in percentage for attribute sampling
and as a numerical value for variable sampling
• The higher the precision level, the lower the sample size
and vice versa
• A measure of the variance or spread of values around the
mean
Precision Sample / Population Standard Deviation
(Applicable to both attribute and variable sampling)
123. Sampling Terms
• The expected error in percentage
• Applied only to attribute sampling, not variable
sampling
• If the expected error rate is high, the sample size will
have to be increased
• Expressed as a percentage, it represents the maximum
degree of error that can exist, without the result being
materially misstated
• Define maximum precision using tolerable error rate, within
permissible limits
Expected Error Rate Tolerable Error Rate
• (Applicable to both attribute and variable sampling)
125. Evidence Collection Techniques
Knowledge Statement 1.7
Knowledge of the evidence collection
techniques (e.g., observation, inquiry,
inspection, interview, data analysis,
forensic investigation techniques,
computer-assisted audit techniques
[CAATs]) used to gather, protect and
preserve audit evidence.
126. Evidence Collection Techniques
Explanation
Audit findings must be supported by objective evidence
Know techniques to gather and preserve evidence
Information gathered through inquiry, observation, interview, analysis using CAATs (Computer Assisted
Auditing Techniques) such as, ACL, IDEA among others
Electronic media may be used to retain audit evidence to support audit findings
Retention policies should meet requirements for such evidence to support audit findings
127. Main Areas of Coverage
Computer
Assisted Audit
Techniques
(CAATs)
Evidence
Interviewing and
Observing Personnel
in Performance of
their Duties
Continuous
Auditing
Audit
Documentation
1 2 3 4 5
128. Evidence
Is the information the
Information Systems
Auditor (ISA) gathers while
performing an IS audit to
meet the audit objectives
by supporting the audit
findings
Must directly relate to
the objectives of review
Is key to the audit
process
Is mandatory under
standard “S6
Performance of Audit
Work”
Should be appropriately
organized and
documented to support
the findings and
conclusion(s)
129. Reliability of Evidence
Determinants for the reliability of evidence include:
Independence
of the provider
of the
evidence
Qualification
of the individual
providing the
information/
evidence
Objectivity
of the
evidence
Timing of the
evidence
Given an audit scenario in the exam, a candidate should be able to determine which type of
evidence gathering technique would be best.
130. Evidence Characteristics and Types
• The confidence level of evidence is based on its value; audit evidence is considered
• Sufficient if it is complete, adequate, convincing, and would lead another ISA to form the same
conclusions
• Useful if it assists ISAs in meeting their audit objectives
• Reliable if in the auditor’s opinion, it is valid, factual, objective and supportable
• Relevant if it pertains to the audit objectives and has a logical relationship to the findings and
conclusions it is used to support
131. Techniques for Gathering Evidence
Techniques for gathering evidence include the following:
Reviewing IS
organizational
structures
Reviewing IS
documentation
Reviewing IS standards Reviewing IS policies
and procedures
Walkthroughs
Re-performance
Observing processes
and employee
performance
Interviewing
appropriate personnel
132. Audit
document-atio
n related
to document
identification
and dates
Audit
findings,
conclusions,
and
recommend-
ations
Use of
services of
other
auditors or
experts
Audit steps
performed
and audit
evidence
gathered
Audit
program
Description
and/or
walkthroughs
on the scoped
audit area
Planning
and
preparation
of audit
scope and
objectives
Audit Documentation
Audit documentation should include a record of
134. Data Analytics
Explanation
Audit findings must be supported by objective evidence
Know techniques to gather and preserve evidence
Information gathered through inquiry, observation, interview, analysis using CAATs (Computer Assisted
Auditing Techniques) such as, ACL, IDEA among others
Electronic media may be used to retain audit evidence to support audit findings
Retention policies should meet requirements for such evidence to support audit findings
135. Computer Assisted Audit Techniques (CAATs)
• Automated tools and techniques used for gathering and analyzing data from computer systems to meet a
predetermined audit objective.
CAATs
CAATs process involves;
● Understanding the client
● Obtaining effective evidence
● Data analysis
● Reporting
● CAATs necessitated by differences
in HW, SW environments, data
structures, record formats,
processing functions
Examples
of CAATs
● Generalized audit software e.g.
IDEA, ACL
● Utility software e.g. DBMS report
writers
● Debugging and scanning software
● Test Data
● Expert systems
● SQL commands
● Third party access control software
● Application software tracing and
mapping
● Options and reports build in a
system
136. (CAATs
)
Collate and analyze diverse data.
Information systems employ
diverse hardware, software,
databases, data structures, and
formats for audit evidence
Provide means of analyzing
data to achieve audit objectives
Enable the ISA to work
independently, eliminating
continuous assistance from the
IT function
Types of CAATs:
• GAS (Generalized Audit
Software)
• Utility software
• Industry-specific audit
software
• Fourth-generation languages
like SQL
• Expert systems
• Neural networks
• Application software tracing
• Mapping
Computer-Assisted Auditing Techniques
137. Types of CAATs
Generalized
Audit
Software
(GAS)
• Standard, off-the-shelf software which can read data from diverse database platforms,
flat files, and ASCII formats
• ISA can utilize the in-built functions of the software
• Functions of GAS include:
o File access and reorganization
o Sampling
o Filtration
Utility o Statistical analysis
Software o Stratification and frequency analysis
o Report generation
o Duplicate checking
o Recomputation
Industry-specific
Audit Software
• Limitations of GAS include:
o Not suitable for concurrent auditing
o Can only conduct post-event audit
o Limited capabilities to verify processing logic
138. Types of CAATs
Generalized
Audit
Software
(GAS)
Utility • Is a part of a suite of programs like: copy, sort programs, report generators, disk search
Software utility, and fourth-generation languages, like SQL (structured query language).
Industry-specific
Audit Software
139. Types of CAATs
Generalized
Audit
Software
(GAS)
Utility
Software
• While GAS is generic in nature, audit software specific to some industries like financial
Industry-specific
Audit Software
services, insurance, and health care is also available.
• They include built-in queries to perform audit functions in specific industries, say check
kiting in banking.
• Constructing similar queries in GAS would need more effort and skills.
140. Types of CAATs
Expert
System
• This is a type of artificial intelligence and incorporates a knowledge base that contains
the knowledge of human experts in the concerned domain.
• The inference engine in the expert system compares the data presented against the
knowledge base to draw conclusions.
• Expert systems can be used for:
o Risk analysis
o Evaluation of internal controls and assessing if provisions on doubtful debts are
Neural adequate
Networks
Continuous
Online Audit
141. Types of CAATs
Expert
System
Neural
• These are designed to mimic the neurons of the human brain.
• They can be “trained” to recognize patterns that indicate certain occurrences, like a
Networks fraud.
Continuous
Online Audit
142. Types of CAATs
Expert
System
Neural
Networks
Continuous
Online Audit
• CAATs can be used to implement ongoing monitoring.
• They can be configured to continuously analyze data either in real or near real time
intervals, in furtherance of preset audit objectives.
143. Computer Assisted Audit Techniques (CAATs)
Functional capabilities of Generalized Audit Software (GAS) are as follows:
File access: reading different file
structures and record formats
File reorganization: indexing,
sorting, merging, linking
Data selection: filtration
conditions, selection criteria
Statistical functions: sampling,
stratifications, frequency analysis
Arithmetic functions: arithmetic
operators and functions
145. Reporting and Communication Techniques
Knowledge Statement 1.9
Knowledge of reporting and communication
techniques (e.g., facilitation, negotiation,
conflict resolution, audit report structure,
issue writing, management summary, result
verification).
146. Reporting and Communication Techniques
Explanation
Communication needs to be effective and clear to improve the quality of the audit and maximize results.
When an argument ensues between the auditor and the auditee during the final IS audit findings report
presentation over the accuracy of the findings in the report, it makes the audit process counterintuitive and
quickly dilutes the audit process and its value.
Audit findings reported to stakeholders need to have appropriate buy-in from the auditees for the audit
process to be successful and value adding.
Communication and negotiation skills are required throughout the audit activity.
Communication skills determine the effectiveness of the audit reporting process.
147. Audit Report Objectives
The objectives of audit reporting are:
• Formally presenting the audit report to the auditee or client
• Providing statements of assurance of controls
• Identifying areas that require corrective actions
• Providing recommendations
• Formally seeking closure of the audit engagement
148. Main Areas of Coverage
Information Technology Assurance
Framework (ITAF) (Section 2600 –
Reporting Standards)
Communicating Audit Results
The main areas of coverage:
149. Communication of Audit Results
Presentation techniques include:
● Executive summary Easy to read, concise report that presents the summary of the entire report
● Visual presentation: May include slides or computer graphics
Before communicating the results of an audit to senior management, the IS audit should discuss the findings with
management staff of the audited entity. This is to ensure an agreement is reached for both the findings and the
corrective action to be taken.
The CISA candidate should become familiar with the ISACA S7 Reporting and S8 Follow-up Activities standard.
Ensure recommendations are
realistic and cost-effective
Recommend implementation
dates for agreed-on
recommendations
Ensure facts presented in the
report are accurate
During exit interviews, the IS auditor should:
151. The Report
Identify and Include:
• Organization, recipients, restriction on circulation
• Scope, objectives, period of coverage, nature, timing, and extent
• Findings, conclusions, recommendations/follow up, and reservations
or qualifications
o Grouped by materiality or intended recipient
o Mention faults and constructive corrections
• Evidence to support results (may be separate)
• Overall findings, conclusion, and opinion
• Signed and dated
152. Audit Report Basics
An audit report includes the following features:
Audit
Report
Features
Organization, recipients and
restriction on circulation
Scope, objectives, period of
coverage, nature, timing, and extent
Signature and date
Evidence to support results
Findings, conclusions,
recommendations/follow- ups, and
reservations/qualifications
Overall findings, conclusion, and
opinion
Grouped by materiality or
intended recipient
Mention faults and
constructive corrections
153. Follow-Up Activities
• An IS auditor should conduct a follow-up program to determine whether the management has
implemented the agreed-on corrective actions.
• The results of the follow-up should be communicated appropriately.
155. Audit Assurance Systems and Frameworks
Knowledge Statement 1.10
Knowledge of audit quality assurance
(QA) systems and frameworks.
156. Quality Assurance and Improvement of the Audit Process
Explanation
Auditing standards are the minimum parameters to be taken into account when performing an audit.
An IS auditor has to understand the impact of the IS environment on traditional auditing practices and
techniques to ensure the audit objective is achieved.
Control Self Assessment (CSA) is a process in which an IS auditor can act in the role of a facilitator to business
process owners to help them define and assess appropriate controls (taking into consideration the risk
appetite of the organization).
Process owners are best placed to define appropriate controls due to their process knowledge.
IS auditors help process owners understand the need for controls based on business risk.
157. Main Areas of Coverage
The main areas covered under this knowledge statement are as follows:
Audit
programs
Audit
methodology
Audit
objectives
Evaluation of
audit strengths
and weakness
Control Self
Assessment
(CSA)
Objectives,
advantages, and
disadvantages of
CSA
Auditors Role
in CSA
Using services
of other
Auditors and
Experts
Traditional vs.
CSA Approach
158. Control Self Assessment (CSA)
CSA is a methodology used to
review key business objectives,
risks involved in achieving the
business objectives, and
internal controls designed to
manage these business risks in
a formal, documented
collaborative process.
CSA is a management technique
that assures stakeholders,
customers, and other parties that
the internal control system of the
organization is reliable.
It ensures employees are aware of
business risk and that they conduct
periodic, proactive reviews of
controls.
CSA involves a series of tools on a
continuum of sophistication,
ranging from simple questionnaires
to facilitated workshops.
159. Objectives of a CSA
Control Objectives for Information and Related Technology (COBIT provides guidance on development of a CSA
Following are the objectives of a CSA:
Leverage the internal
audit function by
shifting some of the
control monitoring
responsibilities to the
functional areas
Ensure Line
managers are in
charge of monitoring
controls
Educate
management on
control design and
monitoring
160. COBIT
Some important facts about COBIT are:
• Control Objectives for Information and related Technology
• ISACA first released COBIT in 1996
• Revised in 2005 to become ISO 17799:2005
• ISACA published the current version, COBIT 5, in 2012
• Contains 134 detailed information security controls based on 11 areas
161. Benefits of a CSA
Benefits of a CSA include the following:
• Early detection of risk
• More effective and improved internal controls
• Create cohesive teams – employee involvement
• Develops sense of ownership of controls in employees and process owners
• Improved audit rating process
• Reduction in control cost
• Increased communication between operations and top management
• Highly motivated employees
• Assurance provided to stakeholders and customers
162. CSA Disadvantages and Role of Auditor
Disadvantages of a CSA
● Might be mistaken as an audit function
replacement
● May be taken as additional workload (e.g.
writing reports to management)
● Failure to act on improvement suggestions
could damage employee morale
● Inadequate motivation limits effectiveness in
the discovery of weak controls
Auditor’s role in CSA
● Internal control professional and
assessment facilitator (management staff
participates in the CSA process, not the
auditor)
163. Traditional Vs. CSA Approach
The following table compares the traditional audit approach with CSA:
Traditional Audit Approach
Assigns tasks
Policy-driven
Limited employee participation
Limited stakeholder focus
Auditors and other specialists
CSA
Empowered and accountable employees
Continuous improvement learning curve
Extensive employee participation and training
Broad stakeholder focus
Staff at all levels and in all functions are the
primary control analysts
164. Domain One Exam Quick Pointers
1.
2.
3.
4.
5.
6.
7.
8.
The auditor is a facilitator in a Control Self Assessment.
Examples of substantive tests include testing samples of an inventory of backup tapes.
Control self Assessment (CSA) enhances audit responsibility as one of its key objectives.
Accountability cannot be enforced without authentication and identification in an access control.
IS Auditors are likely to perform compliance tests of internal controls if, after their initial evaluation of
the controls, they conclude that control risks are within acceptable limits.
Identification of high-risk areas is the most important step in an audit plan.
The auditor should be aware of data flows within an enterprise when assessing corrective, preventive,
or detective controls.
Responsibility and accountability can be established by the use of audit trails.
167. a.
b.
c.
d.
An audit charter should .
summarize the responsibilities, authority and scope of an internal audit
department.
define audit processes
outline audit goals and how to achieve them
keep track with the change in information technology
QUIZ
1
168. a.
b.
c.
d.
An audit charter should .
summarize the responsibilities, authority and scope of an internal audit
department
define audit processes
outline audit goals and how to achieve them
keep track with the change in information technology
The correct answer is a.
An audit charter should summarize the responsibility, authority, and scope of an audit department.
QUIZ
1
169. a.
b.
c.
d.
An audit report prepared by the information systems auditor should be
corroborated by .
supporting statements from IS management
work-papers of senior auditors
control self-assessment from the organization
appropriate, relevant, and sufficient audit evidence
QUIZ
2
170. a.
b.
c.
d.
An audit report prepared by the information systems auditor should be
corroborated by .
supporting statements from IS management
work-papers of senior auditors
control self-assessment from the organization
appropriate, relevant, and sufficient audit evidence
The correct answer is a.
An IS auditor should have statements from IS Management to ensure that they are in agreement with the
findings as well the corrective action to be taken.
QUIZ
2
171. a.
b.
c.
d.
An IS auditor reviews the previous audit plan implemented for a client and finds that it was
designed to review the company network and e-mail systems, but not the e-commerce Web
server. The IT manager indicates that the preferred focus for audit is the newly implemented
ERP application. How should the auditor respond?
Determine the highest-risk systems and plan the audit based on the results
Audit the new ERP application as requested by the IT manager
Audit both the e-commerce server and the ERP application
Audit the e-commerce server since it was not audited last year
QUIZ
3
172. a.
b.
c.
d.
An IS auditor reviews the previous audit plan implemented for a client and finds that it was
designed to review the company network and e-mail systems, but not the e-commerce Web
server. The IT manager indicates that the preferred focus for audit is the newly implemented
ERP application. How should the auditor respond?
Determine the highest-risk systems and plan the audit based on the results
Audit the new ERP application as requested by the IT manager
Audit both the e-commerce server and the ERP application
Audit the e-commerce server since it was not audited last year
The correct answer is c.
The best course of action is to conduct a risk assessment and design the audit plan to cover the areas of
highest risk. The IS auditor should not rely on the prior-year audit plan since it may not have been
designed to reflect a risk-based approach.
QUIZ
3
173. a.
b.
c.
d.
When testing program change requests, an IS auditor found that the population
of changes was too small to provide a reasonable level of assurance. What is
the most appropriate action for the IS auditor to take?
Report the finding to management as a deficiency.
Create additional sample changes to programs.
Develop an alternate testing procedure.
Perform a walk-through of the change management process.
QUIZ
4
174. a.
b.
c.
d.
When testing program change requests, an IS auditor found that the population
of changes was too small to provide a reasonable level of assurance. What is
the most appropriate action for the IS auditor to take?
Report the finding to management as a deficiency.
Create additional sample changes to programs.
Develop an alternate testing procedure.
Perform a walk-through of the change management process.
The correct answer is a.
If a sample size objective cannot be met with the given data, the IS auditor would not be able to provide
assurance regarding the testing objective. In this instance, the IS auditor should develop (with audit
management approval) an alternate testing procedure.
QUIZ
4
175. a.
b.
c.
d.
The main advantage derived from an enterprise employing control
self-assessment (CSA) process is that it:
enables management to delegate responsibility.
can replace the traditional audit methods.
allows the auditor to independently assess risks.
identifies high-risk areas that require a detailed review later.
QUIZ
5
176. a.
b.
c.
d.
The main advantage derived from an enterprise employing control
self-assessment (CSA) process is that it:
enables management to delegate responsibility.
can replace the traditional audit methods.
allows the auditor to independently assess risks.
identifies high-risk areas that require a detailed review later.
The correct answer is d.
Control Self Assessment is based on the review of high-risk areas that will need a more thorough review at
a later date or either an immediate attention.
QUIZ
5
178. Case Study 1
The IS auditor has been asked to perform a pre-audit review to assess the company’s readiness for a regulatory
compliance audit. The regulatory requirements include management taking an active role in IT management including
managerial review and testing of IT controls.
The areas to assess in the upcoming regulatory compliance audit include physical controls, logical controls, end-user
computing, and change management. The IS Auditor has only two weeks to complete the pre-audit review. Previous
audits found no issues with physical controls or end-user computing but did find issues with logical controls and change
management.
Previous issues found include inadequate password management and not all changes where reviewed by a change
approval board.
179. a.
b.
c.
d.
Which of the following would be the most important item for the IS auditor to
check first?
Password management
Change approval
Patch management
Physical security
QUIZ
1
180. a.
b.
c.
d.
Which of the following would be the most important item for the IS auditor to
check first?
Password management
Change approval
Patch management
Physical security
The correct answer is a.
Password management and change approval were both identified as issues in previous audits. However,
password management is a more critical issue, and it is less time consuming to check. It may not be
possible to review change management within the time allotted.
QUIZ
1
181. a.
b.
c.
d.
If time permits, should the IS auditor review physical controls and end-user
computing, even though there were no problems noted in previous audits?
Yes, check both if time permits
No, as there were no previous issues
If possible, check physical controls but not end-user computing
If possible, check end-user computing then physical controls
QUIZ
2
182. a.
b.
c.
d.
If time permits, should the IS auditor review physical controls and end-user
computing, even though there were no problems noted in previous audits?
Yes, check both if time permits
No, as there were no previous issues
If possible, check physical controls but not end-user computing
If possible, check end-user computing then physical controls
The correct answer is a.
Simply because there have not been issues in the past does not mean an area should not be reviewed
during an audit. If time permits, every area that will be addressed in the regulatory compliance audit
should be reviewed.
QUIZ
2
183. Case Study 2
An IS auditor has been tasked to audit a financial application used by a bank to process loan applications. The application
can be accessed via a Web interface from anywhere in the world. The company maintains the Web server internally (that
is. it is not outsourced) as well as the back end database. The auditor has limited time and may not be able to do a
complete audit.
184. a.
b.
c.
d.
Which of the following tools would be most helpful in this audit?
General audit software application tool
Statistical analysis tool
Web vulnerability testing tool
General vulnerability assessment tool
QUIZ
1
185. a.
b.
c.
d.
Which of the following tools would be most helpful in this audit?
General audit software application tool
Statistical analysis tool
Web vulnerability testing tool
General vulnerability assessment tool
The correct answer is c.
Since the application is accessed via the Web, the most critical item to audit is the Web interface. This is
where most security issues would be helpful in an audit.
QUIZ
1
186. a.
b.
c.
d.
In this scenario, what is the order of importance of items checked?
Firewall, VPN, Web server, Database server
VPN, Firewall, Database server, Web server
Database server, VPN, Web server, Firewall
Web server, Firewall, Database server, VPN
QUIZ
2
187. a.
b.
c.
d.
In this scenario, what is the order of importance of items checked?
Firewall, VPN, Web server, Database server
VPN, Firewall, Database server, Web server
Database server, VPN, Web server, Firewall
Web server, Firewall, Database server, VPN
The correct answer is d.
The Web server is the most important as it is the publically facing interface most vulnerable to attack. The
database is protected by the firewall, so the next item to check is the firewall. VPN connections need not be
checked, as there is no VPN used in this scenario.
QUIZ
2
188. Key Takeaways
You’ are now able to:
Plan an audit to determine whether information systems are protected, controlled, and provide
value to the organization
Conduct an audit in accordance with IS audit standards and a risk‐based IS audit strategy
Communicate audit progress, findings, results, and recommendations to stakeholders
Conduct an audit follow‐up to evaluate whether risks have been sufficiently addressed
Evaluate IT management and monitoring of controls
Utilize data analytics tools to streamline an audit process
Provide consulting services and guidance to the organization in order to improve the quality and
control of information systems
Identify opportunities for process improvement in the organization's IT policies and practices
