Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
CISA – Certified Information Systems Auditor Study Guide
CISA – Certified Information Systems Auditor Study Guide

CISA – Certified Information Systems Auditor Study Guide: Aligned with the CISA Review Manual 2024 with over 1000 practice questions to ace the exam , Third Edition

Arrow left icon
Profile Icon Hemang Doshi
Arrow right icon
€37.99
Paperback Oct 2024 356 pages 3rd Edition
eBook
€8.99 €29.99
Paperback
€37.99
Subscription
Free Trial
Renews at €18.99p/m
Arrow left icon
Profile Icon Hemang Doshi
Arrow right icon
€37.99
Paperback Oct 2024 356 pages 3rd Edition
eBook
€8.99 €29.99
Paperback
€37.99
Subscription
Free Trial
Renews at €18.99p/m
eBook
€8.99 €29.99
Paperback
€37.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Table of content icon View table of contents Preview book icon Preview Book

CISA – Certified Information Systems Auditor Study Guide

Audit Execution

In the first chapter, you learned about audit-planning procedures and best practices. In this chapter, you will learn how to effectively and efficiently execute the audit plan. Audit execution involves gathering and analyzing evidence, testing internal controls, and documenting findings to ensure accuracy and thoroughness. It includes identifying issues, communicating progress with stakeholders, and managing resources effectively.

This chapter covers Domain 1, Information Systems Auditing Process, part B, Execution, of the CISA exam. The following topics will be covered in this chapter:

  • Audit project management
  • Audit testing and Sampling methodology
  • Audit evidence collection techniques
  • Data analytics
  • Reporting and communication techniques
  • Control self-assessment
  • Agile auditing
  • Quality assurance of audit processes
  • Use of AI in the audit process

By the end of this chapter, you will have detailed knowledge of information systems (ISs), business, and risk management processes that help protect the assets of an organization.

Audit Project Management

An audit includes various activities, such as audit planning, resource allocation, determining the audit scope and audit criteria, reviewing and evaluating audit evidence, forming audit conclusions, and reporting to management. All these activities are integral parts of an audit, and project management techniques are equally applicable to audit projects.

Audit Objectives

Audit objectives are the expected outcomes of the audit activities. They refer to the intended goals that the audit must accomplish. Determining the audit objectives is a very important step in planning an audit. Generally, audits are conducted to achieve the following objectives:

  • To confirm that internal control exists
  • To evaluate the effectiveness of internal controls
  • To confirm compliance with statutory and regulatory requirements

An audit also provides reasonable assurance about the coverage of material items.

Audit Phases

The audit management project process has three phases. The first phase is planning, the second phase is execution, and the third phase is reporting. An IS auditor should be aware of the steps involved in the phases of an audit management process, as shown in the following table:

Phase

Audit Steps

Description

Planning

Assess risk and determine audit areas

The first step is to conduct a risk assessment and identify the function, process, system, and physical location to be audited

Determine audit objective

The primary goal during the planning stage of an IS audit is to address the audit objectives

The audit objective (i.e., the audit purpose) is also to be determined

An audit may be conducted for regulatory or contractual requirements

Determine the audit scope

The next step is to identify and determine the scope of the audit

The scope may be restricted to a few applications or a few processes only

Defining the scope will help the auditor determine the resources required for conducting the audit

Conduct pre-audit planning

Pre-audit planning includes understanding the business environment and the relevant regulations

It includes conducting risk assessments to determine areas of high risk

It also includes determining resource requirements and audit timings

Determine audit procedures

The audit program is designed on the basis of pre-audit information, which includes resource allocation and audit procedures to be followed

During this step, audit tools and audit methodology are developed to test and verify the controls

Execution

Gather data

The next step is to gather relevant data and documents for conducting the audit

Evaluate controls

Once the required information, data, and documents are available, the auditor is required to evaluate the controls to verify their effectiveness and efficiency

Validate and document the results

Audit observations should be validated and documented along with the relevant evidence

Reporting

Draft report

A draft report should be issued to obtain comments from management on the audit observations

Before issuance of the final report, the draft report should be discussed with management

Issue report

The final report should contain audit findings, recommendations, comments, and the expected date of closure of the audit findings

Follow up

A follow-up should be done to determine whether the audit findings are closed and a follow-up report should be issued

Table 2.1: Phases of an audit process

It should be noted that the steps should be followed in chronological sequence for the success of the audit project and to achieve the audit objectives.

Key Aspects for the CISA Exam

The following table covers the important aspects from the CISA exam perspective:

Questions

Possible Answers

What does an IS audit provide?

Reasonable assurance about the coverage of material items

What is the first step of an audit project?

To develop an audit plan

What is the major concern in the absence of established audit objectives?

Not being able to determine key business risks

What is the primary objective of performing a risk assessment prior to the audit?

Allocating audit resources to areas of high risk

What is the first step of the audit planning phase?

Conducting risk assessments to determine the areas of high risk

What is an important consideration when planning the scope and objectives of an IS audit?

Applicable statutory requirements

Table 2.2: Key aspects for the CISA exam

Audit sampling is an important element of audit project management and selecting an appropriate sampling methodology is critical for gathering the relevant data and drawing accurate conclusions. The next section discusses sampling methodologies.

Audit testing and Sampling methodology

Sampling is the process of selecting data from a population. By analyzing samples, characteristics of the entire population can be identified. Sampling is performed when it is not feasible to study the entire population due to time and cost constraints. Therefore, samples are a subset of the population.

Sampling is an integral part of audit execution as it allows auditors to efficiently evaluate the overall effectiveness of processes without the need to review every single item.

Sampling Types

This is a very important topic from a CISA exam perspective. Two or three questions can be expected on this topic. A CISA candidate should have an understanding of the sampling techniques discussed in the next subsections.

Statistical Sampling

This is an objective sampling technique. This is also known as non-judgmental sampling. It uses the laws of probability, where each unit has an equal chance of selection. In statistical sampling, the probability of error can be objectively quantified, and hence the detection risk can be reduced.

For example, suppose the total population is 100 and the auditor wants to select 10% as a sample. In statistical sampling, the auditor will use random sampling to select 10 accounts. This ensures that every account has an equal chance of being selected, minimizing selection bias.

Non-Statistical Sampling

This is a subjective sampling technique. It’s also known as judgmental sampling. The auditor uses their experience and judgment to select the samples that are material and represent a higher risk.

Attribute Sampling

Attribute sampling is the simplest kind of sampling based on certain attributes; it measures basic compliance. It answers the question, How many?. It is expressed as a percentage—for example, 90% complied. Attribute sampling is usually used in compliance testing.

Variable Sampling

Variable sampling offers more information than attribute sampling. It answers the question, How much?. It is expressed in monetary value, weight, height, or some other measurement—for example, an average profit of $25,000. Variable sampling is usually used in substantive testing.

Stop-or-Go Sampling

Stop-or-go sampling is used where controls are strong and very few errors are expected. It helps to prevent excess sampling by allowing the audit test to end at the earliest possible moment. Stop-or-go sampling is generally applied where controls are automated such as auto patch updates.

Discovery Sampling

Discovery sampling is used when the objective is to detect fraud or other irregularities. If a single error is found, the entire sample is believed to be fraudulent/irregular.

The following table summarizes the use cases for each sampling type:

Sampling Type

When to Use

Statistical

When the question is about how the probability of error can be objectively quantified

Non-Statistical

When the question is about a technique where the experience and judgment of the auditor are required

Attribute

When the question is about the technique for compliance testing

Variable

When the question is about the technique for substantive testing

Stop-or-Go

When the question is about the technique to use when few errors are expected

Discovery

When the question is about the technique used to detect fraud

Table 2.3: Different types of sampling

Note

Remember the term AC-VSattribute sampling for compliance testing and variable sampling for substantive testing.

Sampling Risk

Sampling risk refers to the risk that a sample is not a true representation of the population. This implies that the conclusion drawn by analyzing the sample may be different from the conclusion that would have been drawn by analyzing the entire population.

Other Sampling Terms

A CISA candidate should be aware of the following terms related to sampling.

The Confidence Coefficient

A confidence coefficient, or confidence level, is a measure of the accuracy of and confidence in the quality of a sample. The sample size and confidence coefficient are directly related. A high sample size will give a high confidence coefficient.

Look at the following example:

Population

Sample Size

Confidence Coefficient

100

95

95%

50

50%

25

25%

Table 2.4: Example of confidence coefficient

In the case of poor internal controls, the auditor may want to verify 95 samples (sample size) out of a total population of 100. This gives a 95% confidence coefficient.

In the case of strong internal controls, the auditor may be satisfied with only 25 samples out of the total population of 100. This gives a 25% confidence coefficient.

Level of Risk

The level of risk can be derived by deducting the confidence coefficient from 100. For example, if the confidence coefficient is 95%, then the level of risk is 5% (100% – 95%).

Expected Error Rate

This indicates the expected percentage of errors in procession that may exist. When the expected error rate is high, the auditor should select a higher sample size.

Tolerable Error Rate

This indicates the maximum error rate that can exist without the audit result being materially misstated.

Sample Mean

The sample mean is the average of all collected samples. It is derived by adding all the samples and dividing the sum by the number of samples.

Sample Standard Deviation

This indicates the variance of the sample value from the sample mean.

Compliance versus Substantive Testing

A CISA candidate should be able to differentiate between compliance testing and substantive testing. They should be able to determine which type of testing is to be performed under different scenarios.

The Differences between Compliance Testing and Substantive Testing

The following table differentiates between compliance and substantive testing:

Compliance Testing

Substantive Testing

Compliance testing involves the verification of the controls of a process

Substantive testing involves the verification of data or transactions

Compliance testing checks for the presence of controls

Substantive testing checks for the completeness, accuracy, and validity of the data

In compliance testing, attribute sampling is preferred

In substantive testing, variable sampling is preferred

Table 2.5: Differences between compliance testing and substantive testing

Essentially, verifying whether a control is present or not is compliance testing. Meanwhile, verification of the complete process by testing the data/transaction to “substantiate” that the process is working is substantive testing.

Examples of Compliance Testing and Substantive Testing

The following examples will further help you understand the different use cases of compliance testing and substantive testing:

Compliance Testing

Substantive Testing

Checking for controls in router configuration

Counting and confirming the physical inventory

Checking for controls in the change management process

Confirming the validity of inventory valuation calculations

Verification of system access rights

Counting and confirming the cash balance

Verification of firewall settings

Examining the trial balance

Reviewing compliance with the password policy

Examining other financial statements

Table 2.6: Differences between the use cases of compliance testing and substantive testing

The Relationship between Compliance Testing and Substantive Testing

A CISA candidate should understand the following points about the relationship between compliance testing and substantive testing:

  • Ideally, compliance testing should be performed first and should be followed by substantive testing.
  • The outcome of compliance testing is used to plan for a substantive test. For instance, if the outcome of compliance testing indicates the existence of effective internal controls, then substantive testing may not be required or limited testing may be carried out. However, if the outcome of compliance testing indicates a poor internal control system, more rigorous substantive testing is required. Thus, the design of substantive tests is often dependent on the result of compliance testing.
  • The attribute sampling technique is useful for compliance testing as it indicates that a control is either present or absent, whereas variable sampling will be useful for substantive testing.

Key Aspects for the CISA Exam

The following table covers important aspects from the CISA exam perspective:

Questions

Possible Answers

Which sampling technique should be used when the probability of error must be objectively quantified?

Statistical sampling

How can sampling risk be mitigated?

By using statistical sampling

Which sampling method is most useful when testing for compliance?

Attribute sampling

In the case of a strong internal control, should the confidence coefficient/sample size be increased or lowered?

The confidence coefficient/sampling size may be lowered

Which sampling method would best assist auditors when there are concerns of fraud?

Discovery sampling

How can you differentiate between compliance testing and substantive testing?

The objective of compliance testing is to test the presence of controls, whereas the objective of substantive testing is to test individual transactions. Take the example of asset inventory:

  • Compliance testing verifies whether a control exists for the inward/outward movement of the assets
  • Verifying the count of physical assets and comparing it with records is substantive testing

What are some examples of compliance testing?

  • To verify the configuration of a router for controls
  • To verify the change management process to ensure controls are effective
  • Reviewing system access rights
  • Reviewing firewall settings
  • Reviewing compliance with a password policy

What are some examples of substantive testing?

  • A physical inventory of the tapes at the location of offsite processing
  • Confirming the validity of the inventory valuation calculations
  • Conducting a bank confirmation to test cash balances
  • Examining the trial balance
  • Examining other financial statements

In what scenario can the substantive test procedure be reduced?

The internal control is strong/the control risk is within acceptable limits

When is stratified sampling useful?

Stratified sampling involves dividing the population into subgroups (strata) and then taking a sample from each subgroup. This approach is most appropriate when you want to focus on specific groups within the population.

Table 2.7: Key aspects for the CISA exam

Apart from the appropriate sampling technique, another important aspect of the audit process is using appropriate evidence-gathering techniques. Audit evidence should be collected properly to establish its reliability. Details on the reliability of audit evidence and collection techniques are covered in the next section.

Audit Evidence Collection Techniques

Auditing is a process of providing an opinion (in the form of a written audit report) about the functions or processes under the scope of an audit. This audit opinion is based on the evidence obtained during the audit. Audit evidence is critical in the audit as audit opinions are based on reliability, competence, and objectivity. The objective and scope of an audit are the most significant factors when determining the data requirements.

Reliability of Evidence

An IS auditor should consider the sufficiency, competency, and reliability of the audit evidence. Evidence can be considered competent when it is valid and relevant. The following factors determine the reliability of audit evidence.

Independence of the Evidence Provider

The source of the evidence determines the reliability of the evidence. External evidence (obtained from a source outside the organization) is more reliable than evidence obtained from within the organization. A signed agreement with external parties is considered more reliable than an oral agreement.

Qualifications of the Evidence Provider

The qualifications and experience of the evidence provider are major factors when determining the reliability of audit evidence. Information gathered from someone without the relevant qualifications or experience may not be reliable.

Objectivity of the Evidence

Evidence based on judgment (involving subjectivity) is less reliable than objective evidence. Objective audit evidence does not have the scope for different interpretations.

Timing of the Evidence

Audit evidence that is dynamic in nature (such as logs, files, and documents that are updated frequently) should be considered based on the relevant timing.

Figure 2.1 highlights the evidence-related guidelines:

Figure 2.1: Evidence-related guidelines

Figure 2.1: Evidence-related guidelines

The guidelines discussed for the reliability of evidence are very important from a CISA exam perspective. An IS auditor should also be aware of the best practices and techniques to gather evidence. These are discussed in the next section.

Evidence-Gathering Techniques

The following techniques are used by IS auditors to gather evidence during the audit process:

Factors

Descriptions

Review the organization’s structure

The IS auditor should review the organization’s structure and governance model. This will help the auditor determine the control environment of the enterprise.

Review IS policies, processes, and standards

The audit team should review the IS policies, procedures, and standards and determine the effectiveness of the controls implemented. The audit team should also determine whether IS policies and procedures are reviewed periodically and approved by a competent authority.

Observations

The IS auditor should observe the processes being audited to determine the following:

  • The skill and experience of the staff
  • The security awareness of the staff
  • The existence of segregation of duties (SoD)

Interview technique

The IS auditor should have the skill and competency to conduct interviews tactfully. Interview questions should be designed in advance to ensure that all topics are covered.

To the greatest extent possible, interview questions should be open-ended to gain insight into the process. The staff being interviewed should be made comfortable and encouraged to share information and areas of concern.

Re-performance

In re-performance, the IS auditor performs the activity that was originally performed by the staff of the organization.

Re-performance provides better evidence than other techniques. It should be used when other methods do not provide sufficient assurance about control effectiveness.

Process walk-through

A process walk-through is done by the auditor to confirm the understanding of the policies and processes.

In a process walk-through, each step of the process being audited is observed, with discussion around how the process is executed, who is responsible for the process, and how all tasks are performed.

Table 2.8: Evidence-gathering factors and their descriptions

The evaluation of evidence is a subjective matter, and the auditor needs the relevant skills, experience, and qualifications to judge the relevance, sufficiency, and appropriateness of the audit evidence. In the case of inconclusive evidence, it is recommended to perform an additional test to confirm the accuracy of the audit findings.

Evidence should be evaluated based on the business environment and the complexity of the business processes. The following are some general guidelines for evidence evaluation:

  • In the case of unavailability of evidence, the auditor should report the relevant risk in the audit report.
  • Evidence obtained from a relevant third party is considered more reliable compared to internal evidence. An audit report by a qualified auditor is considered more reliable than a confirmation letter received from a third party.
  • Evidence collected by the audit team directly from the source is considered more reliable compared to evidence provided by business units.
  • Computer-assisted audit techniques (CAATs) are the most effective auditing tools for computerized environments. The use of a CAAT ensures the reliability of audit evidence as data is directly collected, processed, and analyzed by the IS auditor.

Fraud, Irregularities, and Illegal Acts

While evaluating the evidence, it must be noted that the implementation of internal controls does not necessarily eliminate fraud. An IS auditor should be aware of the possibilities, circumstances, and opportunities that can lead to fraud and other irregularities. The IS auditor should observe and exercise due professional care to ensure that internal controls are appropriate, effective, and efficient to prevent or detect fraud, irregularities, and illegal acts.

In the case of suspicious activity, the IS auditor may communicate the need for a detailed investigation. In the case of a major fraud being identified, audit management should consider reporting it to the audit committee board.

Key Aspects for the CISA Exam

The following table covers important aspects from the CISA exam perspective:

Questions

Possible Answers

What does the extent of the data requirements for the audit depend on?

The objective and scope of the audit

What should audit findings be supported by?

Sufficient and appropriate audit evidence

What is the most important reason to obtain sufficient audit evidence?

To provide a reasonable basis for drawing conclusions

What is the most effective tool for obtaining audit evidence through digital data?

Computer-assisted auditing techniques

What is the most important advantage of using CAATs for gathering audit evidence?

CAATs provide assurance about the reliability of the evidence collected

What type of evidence is considered most reliable?

Evidence directly collected from the source by an IS auditor is considered to be the most reliable. The source of evidence should be independent.

What is the primary reason for a functional walk-through?

To understand the business process

Table 2.9: Key aspects for the CISA exam

Gathering reliable audit evidence is important for forming an auditor’s opinion. Traditional methods can be slow and might miss important details, which can impact audit results. Data analytics (DA) changes this by allowing auditors to quickly analyze large amounts of data, improving accuracy and uncovering insights. It helps auditors find risks and unusual patterns more effectively. In the next section, we’ll explore how data analytics enhances modern auditing and makes it more efficient.

Data Analytics

DA is the method of examining data or information. It helps you to understand the data by transforming raw data into usable and meaningful information. DA plays an important role in modern audit execution, as it enhances the auditor’s ability to assess risks, identify anomalies, and provide more insightful findings.

The following are some example use cases of DA:

  • To determine whether a user is authorized by combining logical access files with the human resources employee database
  • To determine whether events are authorized by combining the file library settings with change management system data and the date of file changes
  • To identify tailgating by combining input records with output records
  • To review system configuration settings
  • To review logs for unauthorized access

CAATs take the data analysis process a step further by simplifying the examination of complex data. CAATs are discussed in detail in the next section.

CAATs

CAATs are extremely useful to IS auditors for gathering and analyzing large and complex data during an IS audit. CAATs help an IS auditor collect evidence from different hardware, software environments, and data formats.

The following table presents a breakdown of the functions of CAAT tools:

CAAT Tools

Functions

General audit software

This is a standard type of software that is used to read and access data directly from various database platforms.

Utility and scanning software

This helps in generating reports of the database management system.

It scans all the vulnerabilities in the system.

Debugging

This helps in identifying and removing errors from computer hardware or software.

Test data

This is used to test processing logic, computations, and controls programmed in computer applications.

Table 2.10: Breakdown of CAAT functions

A CAAT helps an IS auditor collect information independently. Information obtained through CAATs is considered more reliable than the manual process.

The following are some example use cases for CAAT tools:

  • To determine the accuracy of transactions and balances
  • For a detailed analysis of any given process
  • To ascertain compliance with IS general controls
  • To ascertain compliance with IS application controls
  • To assess network and operating system controls
  • For vulnerability scanning and penetration testing
  • For the security scanning of source code and AppSec testing

Precautions While Using CAAT

An auditor should be aware of the following precautions when using CAAT tools:

  • Ensure the integrity of imported data by safeguarding its authenticity, integrity, and confidentiality.
  • Obtain approval for installing the CAAT software on the auditee servers.
  • Obtain only read-only access when using CAATs on production data. This will ensure that no one can edit the data.
  • Edits/modifications should be applied to duplicate data and the integrity of the original data should be ensured.

Continuous Auditing and Monitoring

Continuous auditing and monitoring processes are used to regularly review and assess an organization’s IT activities as well as data to detect anomalies, trends, and potential issues as they occur and to ensure compliance and improve overall performance.

A CISA candidate should understand the difference between continuous auditing and continuous monitoring:

Continuous Auditing

Continuous Monitoring

In continuous auditing, an audit is conducted in a real-time or near-real-time environment. In continuous auditing, the gap between operations and an audit is much shorter than under a traditional audit approach.

In continuous monitoring, the relevant process of a system is observed on a continuous basis.

For example, high payouts are audited immediately after a payment is made.

For example, antivirus or IDSs may continuously monitor a system or a network for abnormalities.

Table 2.11: Differences between continuous auditing and continuous monitoring

Continuous auditing and continuous monitoring are mutually exclusive. Continuous assurance can be ensured if both continuous monitoring and continuous auditing are in place. Generally, the results of continuous auditing are the precursor to the introduction of a continuous monitoring process.

The following subsections discuss five widely used continuous audit tools.

Integrated Test Facility

An integrated test facility (ITF) is a technique used in auditing to test a system’s processes and controls by inserting test data into a live production system without affecting the actual data. This helps auditors evaluate how well the system handles transactions and identify any potential issues.

In an ITF, a fictitious transaction is created in the production environment.

The auditor may enter test or dummy transactions and check the processing and results of these transactions for correctness. Then, the auditor evaluates the processed results and expected results to verify the proper functioning of the systems. If the processed results match the expected results, then the auditor determines that the processing is correct. Once the verification is complete, test data is deleted from the system.

System Control Audit Review File

A system control audit review file (SCARF) is a technique in which an audit module is embedded into (built in) the organization’s host application to track transactions on an ongoing basis. A SCARF is used to obtain data or information for audit purposes. SCARFs record transactions above a specified limit or deviation-/exception-related transactions. These transactions are then reviewed by the auditor. For example, a company may decide to capture a payout greater than $10,000 in a separate file and then such transactions can be reviewed by the auditor to verify whether the limit has been adhered to.

SCARFs are useful when regular processing cannot be interrupted, such as in an online banking system.

Snapshot Technique

The snapshot technique captures snapshots or pictures of a transaction as it is processed at different stages in the system. Details are captured both before and after the execution of the transaction. The correctness of a transaction is verified by validating its pre-processing and post-processing snapshots. Snapshots are useful when an audit trail is required.

The IS auditor should consider the following significant factors when working with the snapshot technique:

  • The location at which snapshots are captured
  • The time at which snapshots are captured
  • The manner in which the snapshot data is reported

Audit Hook

An audit hook is a tool used in auditing to help detect and report unusual or suspicious activities in a system in real time. It acts like a trigger that alerts auditors or security personnel when certain predefined conditions are met, allowing for quick investigation and response.

Audit hooks are embedded in an application system to capture exceptions. The auditor can set different criteria to capture exceptions or suspicious transactions. For example, to closely monitor cash transactions, an auditor can set criteria to capture cash transactions exceeding $10,000. All these transactions can then be reviewed by the auditor to identify fraud, if any.

Audit hooks are helpful in the early identification of irregularities, such as fraud or errors. They are generally applied when only selected transactions need to be evaluated.

Continuous and Intermittent Simulation

Continuous and intermittent simulation (CIS) replicates or simulates the processing of the application system. In this technique, a simulator identifies transactions as per the predefined parameters. Identified transactions are then audited for further verification and review. CIS compares its own results with the results produced by application systems. If any discrepancies are noted, they are written to the exception log file. CIS is useful for identifying the transactions as per predefined criteria in a complex environment.

The following table summarizes the features of continuous audit tools:

Audit Tool

Usage

SCARF/embedded audit module (EAM)

This is useful when regular processing cannot be interrupted

Snapshots

Pictures or snapshots are used when an audit trail is required

Audit hooks

When early detection of fraud or an error is required

ITF

Test data is used in a production environment

CIS

CIS is useful for the identification of transactions as per predefined criteria in a complex environment

Table 2.12: Types of continuous audit tools and their features

Key Aspects for the CISA Exam

The following table covers important aspects from the CISA exam perspective:

Questions

Possible Answers

What is the first step of conducting data analytics?

The first step is determining the objective and scope of analytics

Which is the most effective online audit technique when an audit trail is required?

The snapshot technique

What is the advantage of an ITF?

Setting up a separate test environment/test process is not required. An ITF helps validate the accuracy of the system processing.

Which is the most effective online audit technique when the objective is to identify transactions as per predefined criteria?

CIS is most useful for identifying transactions as per predefined criteria in a complex environment

Table 2.13: Key aspects for the CISA exam

An IS auditor should be aware of the methods and procedures through which analysis and findings are reported to the audit committee and senior management. Effectively reporting audit findings and communicating the findings to all the stakeholders are very important parts of audit execution; these are covered in more detail in the next section.

Reporting and Communication Techniques

Audit reporting and following up for closure are the last steps of the audit process. The effectiveness of an audit largely depends on how the audit results are communicated and how follow-up is done for the closure of recommendations. Effective verbal and written communication skills are key attributes of a good auditor. A CISA candidate is expected to have a thorough understanding of the elements of an exit interview, audit report objectives, the process and structure, and follow-up activities. These are discussed in the following subsections.

Exit Interview

Auditing is not about finding errors. It is about adding value to the existing processes of an organization. A formal exit interview is essential before the audit report is released as it ensures that facts are not misunderstood or misinterpreted. The following are the objectives of an exit interview:

  • To ensure that the facts are appropriately and correctly presented in the audit report
  • To discuss recommendations with auditee management
  • To discuss an implementation date

Exit meetings help align the audit team and auditee management on the findings that are presented, discussed, and agreed upon.

Audit Reporting

An audit report is a formal document that presents the findings, conclusions, and recommendations resulting from an audit. A CISA candidate should note the following best practices with respect to audit reporting:

  • The IS auditor is ultimately responsible for reporting to senior management and the final audit report should be sent to the audit committee of the board (ACB). If the IS auditor has no access to the top officials and the ACB, it will impact the auditor’s independence.
  • Before the report is placed with the ACB, the IS auditor should meet with auditee management to determine the accuracy of the audit observations and to understand the correction plan.
  • Sometimes, auditee management may not agree with the audit findings and recommendations. In such cases, IS auditors should emphasize the significance of the audit findings and the risk of not taking any corrective action.
  • If there is any control weakness that is not within the scope of the audit, it should be reported to management during the audit process. This should not be overlooked. Generally, accepted audit procedures require audit results to be reported even if the auditee takes corrective action prior to reporting.
  • To support the audit results, the IS auditor should have clear and accurate audit facts.

Audit Report Objectives

An audit report’s primary goal is to communicate the findings of an audit clearly and effectively. The following are the six objectives of audit reporting:

  • The presentation of audit findings/results to all the stakeholders (that is, the auditees).
  • Providing a formal closure for the audit committee.
  • Providing assurance to the organization. The audit report identifies the areas that require corrective action and associated suggestions.
  • Providing a reference for any party researching the auditee or audit topic.
  • Helping in follow-ups of audit findings presented in the audit reports for closure.
  • Promoting audit credibility. This depends on the report being well developed and well written.

Audit Report Structure

An audit report is generally submitted to senior management, and hence, proper structuring of the report is very important. An audit report includes the following content:

  • An introduction to the report, which includes the scope of the audit, the limitations of the audit, a statement of the audit objective, the audit period, and so on
  • Audit findings and recommendations
  • Opinions about the adequacy, effectiveness, and efficiency of the control environment

The next section will take you through a rundown of the main objectives of follow-up activities.

Follow-Up Activities

The main objective of follow-up activities is to validate whether management has implemented the audit recommendations. An IS auditor needs to determine whether management has acted on corrective actions to close the audit findings. It is essential to have a structured process to determine that corrective actions have been implemented. Having a structured process for implementing corrective actions ensures accountability and timely follow-up, helping to address issues effectively and prevent them from recurring.

Follow-up activities should be taken up on the basis of the timeline agreed on by auditee management for the closure of audit findings. The status of compliance should be placed at the appropriate level of management.

Although audit follow-ups are primarily applicable to internal audit functions, external audit firms may be required to do the follow-up if it is included in the letter of engagement.

Key Aspects for the CISA Exam

The following table covers important aspects from the CISA exam perspective:

Questions

Possible Answers

What is the objective of an audit closure meeting?

To ensure that there have been no misunderstandings or misinterpretations of the facts

What is the objective of conducting a follow-up audit?

To validate remediation actions

What is the best way to schedule a follow-up audit?

On the basis of the due date agreed upon by auditee management

Table 2.14: Key aspects for the CISA exam

While reporting and monitoring methods are crucial for tracking performance and detecting potential risks, control self-assessment enables organizations to proactively assess their internal controls; this is discussed in detail next.

Control Self-Assessment

Control self-assessment (CSA), as the name suggests, is the self-assessment of controls by process owners. For CSA, the employee reviews the business process and evaluates the various risks and controls. CSA is a process whereby the process owner gains a realistic view of their own performance.

CSA ensures the involvement of the user group in a periodic and proactive review of risk and control.

The following are the objectives of implementing a CSA program:

  • Make functional staff responsible for control monitoring
  • Enhance audit responsibilities (not to replace the audit’s responsibilities)
  • Concentrate on critical processes and areas of high risk

The following are some benefits of implementing a CSA program:

  • It allows risk detection at an early stage of the process and reduces control costs.
  • It helps in ensuring effective and stronger internal controls, which improves the audit rating process.
  • It helps the process owner take responsibility for control monitoring.
  • It helps in increasing employee awareness of organizational goals. It also helps the process owners understand the risk and internal controls.
  • It provides assurance to top management about the adequacy, effectiveness, and efficiency of the control requirements.

Precautions While Implementing CSA

Due care should be taken when implementing CSA. It should not be considered a replacement for the audit function. An audit is an independent function and should not be waived, even if CSA is being implemented. CSA and an audit are different functions, and one cannot replace the other.

An IS Auditor’s Role in CSA

The IS auditor’s role is to act as a facilitator for the implementation of CSA. It is the IS auditor’s responsibility to guide the process owners in assessing the risk and control of their own environment. The IS auditor should also provide insight into the objectives of CSA.

Remember

An audit is an independent function and should not be waived, even if CSA is being implemented. Both CSA and an audit are different functions and one cannot replace the other.

Key Aspects for the CISA Exam

The following table covers important aspects from the CISA exam perspective:

Questions

Possible Answers

What is the primary objective of implementing CSA?

To monitor and control high-risk areas

To enhance audit responsibilities

What is the role of the auditor in the implementation of CSA?

To act as a facilitator for the CSA program

What is the most significant requirement for a successful CSA?

Involvement of line management

Table 2.15: Key aspects for the CISA exam

You learned how CSA is a proactive assessment that aids auditing. Another important technique that further builds on the proactive method is Agile auditing. The following section discusses Agile auditing in detail.

Agile Auditing

In the rapidly changing business world, traditional audit processes can sometimes be too rigid and slow to keep up with the pace of organizational change. This is where Agile auditing comes in. Inspired by Agile methodologies used in software development, Agile auditing offers a flexible and responsive approach to auditing, ensuring that audit activities remain relevant and effective in a dynamic environment.

Dictionary Meaning of Agile

According to the dictionary, agile means being able to move quickly and easily. It also implies the ability to think and understand quickly. In the context of business and auditing, being agile means being flexible, responsive, and able to adapt to changes swiftly.

Understanding Agile Auditing

Agile auditing is a modern approach to auditing that emphasizes flexibility, collaboration, and rapid delivery of audit insights. Unlike traditional audits that follow a linear and often lengthy process, Agile auditing breaks down the audit into smaller, manageable parts or sprints. Each sprint focuses on a specific area or risk and is completed within a short timeframe, typically a few weeks. This allows auditors to quickly identify issues, provide feedback, and adjust the audit plan as needed based on the latest information and organizational changes.

Agile auditing involves frequent communication and collaboration between the audit team and the stakeholders. This continuous interaction ensures that the audit remains aligned with the organization’s current priorities and risks. The iterative nature of Agile auditing allows for continuous improvement and learning, leading to more relevant and timely audit results.

Benefits of Agile Auditing

Agile auditing offers several benefits that make it a preferred approach for modern organizations. The following are some of the benefits:

  • Faster identification of risks: Agile auditing enables quick detection and response to potential issues, helping to mitigate risks before they become significant problems
  • Enhanced collaboration: It promotes continuous interaction between auditors and stakeholders, leading to better understanding and more relevant audit findings
  • Improved efficiency: It focuses on short, targeted sprints, increasing the productivity and effectiveness of the audit team
  • Continuous improvement: The iterative process allows for ongoing refinement and enhancement of the audit approach, leading to higher-quality audits
  • Adaptability: Agile auditing is flexible and can quickly adjust to changes in the business environment and emerging risks

Traditional Auditing vis-à-vis Agile Auditing

Traditional auditing typically follows a structured, linear process that can be quite lengthy and inflexible. It involves predefined steps that are carried out in a sequential order, often taking several months to complete. While this approach provides thorough and detailed audits, it can sometimes be too slow to respond to the fast-paced changes in today’s business environment.

In contrast, Agile auditing is more flexible and dynamic. It involves shorter cycles of planning, execution, and review, allowing auditors to adapt quickly to changes and emerging risks. This makes Agile auditing particularly effective in environments where conditions are constantly evolving, such as changes in regulations, and there is a need for rapid response and continuous improvement.

While traditional auditing provides depth and comprehensiveness, Agile auditing offers speed and adaptability. Organizations can benefit from combining elements of both approaches to create a balanced and effective audit process that meets their specific needs.

By developing a thorough understanding of Agile auditing and implementing it, organizations can enhance their audit processes, making them more responsive, efficient, and aligned with the rapidly changing business landscape. This approach not only helps in identifying and mitigating risks more effectively but also adds significant value to the overall governance and risk management framework.

Key Aspects for the CISA Exam

The following table covers the important aspects from the CISA exam perspective:

Questions

Possible Answers

What is the most important benefit of an Agile audit methodology?

Faster identification of risks. Agile auditing enables quick detection and response to potential issues, helping mitigate risks before they become significant problems.

Differentiate between Agile auditing and a traditional audit methodology.

  • Agile auditing is designed to be flexible and involves shorter, iterative cycles, allowing for quicker responses and adjustments
  • Traditional auditing is more structured and linear, requiring a longer timeframe and less frequent communication with stakeholders

Table 2.16: Key aspects for the CISA exam

Having explored the benefits and flexibility of Agile auditing, the focus now shifts to ensuring the quality and consistency of the audit process through robust quality assurance (QA) measures. In the next section, we will discuss the QA of the audit process.

Quality Assurance of Audit Processes

QA is a process that ensures that audits follow established standards and best practices, giving stakeholders confidence in the audit results. It is crucial for making sure that audits are reliable and effective. The QA process includes supervision by the audit committee, continuous education for IS auditors, and performance monitoring of the IS audit function. These controls are discussed next.

Oversight by Audit Committee

The audit committee, usually made up of members of the board of directors, plays a vital role in ensuring the quality of the audit process by overseeing the audit function to make sure audits are done fairly and thoroughly. The audit committee approves the audit plan, reviews audit reports, and ensures that any issues found are addressed properly. Their oversight helps maintain the independence and objectivity of the audits, which is essential for high-quality results.

Continuous Education and Updating of IS Auditors

In the fast-changing field of IS, it is essential for IS auditors to keep their knowledge and skills up to date. This involves staying informed about the latest technology developments, regulatory changes, and new risks. IS auditors should participate in training programs, earn certifications, and attend industry conferences to maintain their expertise. Continuous education helps auditors effectively identify and assess risks, use advanced audit techniques, and provide valuable insights to their organization.

Performance Monitoring of IS Audit Functions

Monitoring the performance of the IS audit function is a key part of QA as it ensures that audits are effective and meet their objectives. It also provides a feedback loop for continuous improvement, allowing the audit function to adapt and remain relevant in a changing environment. Here are some examples of key performance indicators (KPIs) that can be used to monitor and evaluate the performance of the IS audit function:

  • Audit coverage rate: This is the percentage of planned audits that were completed within a given period. It is calculated as follows: Number of completed audits / Number of planned audits × 100.
  • Audit finding closure rate: This is the percentage of identified audit findings that have been addressed and closed within the specified timeframe. It is calculated as follows: Number of closed audit findings / Number of total audit findings × 100.
  • Timeliness of audit reports: This is the average time taken to issue audit reports after the completion of an audit. It is calculated as the average number of days from audit completion to report issuance.
  • Audit recommendation implementation rate: This is the percentage of audit recommendations that have been implemented by management. It is calculated as follows, using an example KPI: Number of implemented recommendations / Number of total recommendations × 100.
  • Resource utilization: This is the extent to which audit resources (e.g., personnel or budget) are utilized effectively. It is calculated as follows, using an example KPI: Actual hours spent on audits / Budgeted hours for audits × 100.
  • Stakeholder satisfaction: This is the level of satisfaction among stakeholders (e.g., audit committee and management) with the audit process and outcomes. An example KPI would be the average satisfaction rating from stakeholder surveys.
  • Compliance rate: This is the percentage of audits that comply with established internal audit standards and procedures. It is calculated as follows: Number of compliant audits / Number of total audits × 100.
  • Risk coverage: This is the extent to which critical risks are identified and addressed through the audit process. It is calculated as follows: Number of critical risks audited / Number of critical risks identified × 100.
  • Training and development: This is the investment in and effectiveness of training and development programs for audit staff. It is calculated as the average training hours per auditor per year.
  • Audit cost efficiency: This is the cost-effectiveness of the audit function in relation to the value it provides. It is calculated as follows: Total audit cost / Number of audits conducted.

By regularly tracking these KPIs, the IS audit function can ensure continuous improvement, demonstrate its value to the organization, and align its activities with the business objectives.

Continuous Improvement

In addition to the preceding points, the IS audit function should also focus on continuous improvement and adaptation. This involves staying updated with the latest trends and threats in the IT landscape, regularly updating audit methodologies, and incorporating feedback from previous audits. It also includes fostering a culture of collaboration between the IS audit team and other departments to ensure a holistic approach to risk management and compliance.

Accreditation/Certification of the IS Audit Function

Accreditation or certification of the IS audit function provides formal recognition that the audit process meets established standards. This can enhance the credibility and reliability of the audit function. For example, ISO 9001 QMS helps in standardizing the processes within the IS audit function. This standardization ensures that all audits are conducted in a consistent manner, following predefined procedures and guidelines. By having a clear set of standards and procedures, IS auditors can perform their tasks more effectively and efficiently, reducing variability and improving the reliability of audit outcomes. Such accreditations not only boost stakeholder confidence but also ensure that the audit function remains aligned with industry standards and practices.

By implementing strong QA measures, organizations can ensure that their audit processes are compliant with standards and contribute effectively to overall governance and risk management.

Key Aspects for the CISA Exam

The following table covers the important aspects from the CISA exam perspective:

Questions

Possible Answers

Why is continuous education important for IS auditors?

To address emerging risks

What is the most important factor in ensuring the success of a new audit QA program?

Commitment and support from executive management

What is the primary objective of a QA and improvement program for an audit process?

To design a structured framework for improving audit effectiveness

What is the most important factor to demonstrate the success of the QA program?

KPIs are continuously improved

Table 2.17: Key aspects for the CISA exam

Use of AI in the Audit Process

AI is revolutionizing various industries, including auditing. Traditionally, auditing has been a manual and time-consuming process, requiring auditors to sift through large volumes of data to identify discrepancies and ensure compliance. However, with the advent of AI, the audit process is becoming more efficient, accurate, and insightful. AI can analyze vast amounts of data quickly, identify patterns, and even predict potential risks, making it an invaluable tool in modern auditing.

How Does AI Work in Auditing?

AI refers to the ability of machines to perform tasks that typically require human intelligence. This includes learning from experience, understanding complex patterns, making decisions, and even recognizing natural language. In the context of auditing, AI can be used to automate repetitive tasks such as data entry or reconciliation of data, analyze data more comprehensively, and provide insights that might be missed by human auditors.

Benefits of Using AI in Audit Processes

The integration of AI in audit processes offers several significant benefits:

  • Increased efficiency: AI can process and analyze large datasets much faster than humans. This reduces the time required for audits and allows auditors to focus on more complex and judgment-based aspects of their work.
  • Improved accuracy: AI algorithms can identify patterns and anomalies that might be overlooked by human auditors. This leads to more accurate identification of risks and errors, enhancing the overall quality of the audit.
  • Continuous auditing: AI can facilitate continuous auditing by constantly monitoring transactions and data flows. This real-time analysis helps in identifying issues as they occur, rather than waiting for periodic audits.
  • Cost savings: By automating routine tasks, AI reduces the need for extensive manual labor, leading to cost savings for organizations. This can be particularly beneficial for large companies with complex audit requirements.

Risks of Using AI in Audit Processes

While AI offers many advantages, its use in auditing also comes with certain risks. These are described here:

  • Data privacy and security risks: AI systems require access to large amounts of data, which can raise concerns about data privacy and security. Ensuring that AI tools comply with data protection regulations is crucial.
  • Algorithm bias: AI systems can sometimes exhibit biases based on the data they are trained on. If the training data is biased, the AI’s decisions may also be biased, potentially leading to inaccurate audit results.
  • Dependence on technology: Over-reliance on AI might lead to a reduction in critical-thinking skills among auditors. It’s important to balance AI use with human judgment to ensure a comprehensive audit.
  • Complexity and understanding: AI systems can be complex and difficult to understand. Auditors need to be trained to understand how these systems work and to interpret their findings correctly.

Use Cases of AI in the Audit Process

AI is already being used in various aspects of the audit process. The following are some example use cases of AI in the audit process:

  • Data analysis: AI can analyze financial transactions, identify anomalies, and flag potential areas of concern. For instance, AI can detect unusual patterns that may indicate fraud or non-compliance.
  • Document review: AI tools can review and analyze large volumes of documents, such as contracts and agreements, to ensure compliance with regulations and identify any discrepancies.
  • Risk assessment: AI can help in assessing risks by analyzing historical data and predicting future trends. This enables auditors to focus on high-risk areas and take preventive measures.
  • Compliance monitoring: AI systems can continuously monitor transactions and activities to ensure compliance with laws and regulations. This is particularly useful in industries with stringent regulatory requirements.
  • IT system audits: AI can evaluate the security and performance of IT systems by analyzing logs and detecting unusual activities that may indicate security threats or system failures.
  • Network traffic analysis: AI can monitor network traffic to identify potential security breaches or unusual patterns that could indicate malware or unauthorized access.
  • Software license compliance: AI can audit software usage to ensure compliance with licensing agreements, helping organizations avoid legal and financial penalties.

Best Practices for Using AI in Audit Process

To maximize the benefits of AI in auditing while minimizing the risks, it’s essential to follow certain best practices:

  • Ensure data quality and integrity: Ensure that the data used for training AI models is accurate, complete, and free from biases. High-quality data leads to more reliable AI outputs.
  • Ensure transparency and explainability: Use AI tools that provide transparency in their operations and make it easy to understand how decisions are made. This helps auditors trust and verify AI findings.
  • Implement continuous learning and updates: Regularly update AI models to reflect the latest data and trends. Continuous learning helps AI tools adapt to changing conditions and improve over time.
  • Implement ethical considerations: Consider the ethical implications of using AI, such as data privacy, fairness, and accountability. Ensure that AI systems are used responsibly and do not violate ethical standards.
  • Implement human supervision: While AI can automate many tasks, human supervision is crucial. Auditors should review AI outputs, provide context, and make final decisions to ensure a balanced and comprehensive audit process.
  • Invest in training and skill development: Invest in training for auditors to understand AI tools and techniques. This helps them use AI effectively and interpret its findings accurately.
  • Integrate with the existing processes: Seamlessly integrate AI tools with existing audit processes and systems. This ensures that AI complements, rather than disrupts, traditional auditing methods.

Summary

In this chapter, you explored various aspects of audit project management and learned about different sampling techniques. You also explored different audit evidence collection techniques, reporting techniques, and practical aspects of CSA.

The following are some of the important takeaways from this chapter:

  • The initial step in designing an audit plan is to determine the audit universe for the organization. The audit universe is the list of all the processes and systems under the scope of the audit. Once the audit universe is identified, a risk assessment is to be conducted to identify the critical processes and systems.
  • Statistical sampling is the preferred mode of sampling when the probability of error must be objectively quantified.
  • It is advisable to report the findings even if corrective action is taken by the auditee. For any action taken on the basis of audit observation, the audit report should identify the finding and describe the corrective action taken.
  • The objective of CSA is to involve functional staff to monitor high-risk processes. CSA aims to educate line management in the area of control responsibility and monitoring. The replacement of audit functions is not the objective of CSA.
  • Agile auditing is a flexible approach to auditing to better adapt to rapid changes in the business environment. Breaking audits into smaller, manageable “sprints” allows for quicker identification of risks, enhanced collaboration with stakeholders, and continuous improvement of audit processes. This method is especially effective in dynamic environments where traditional audit processes may be too slow to respond to evolving risks and priorities.
  • QA in the audit process is essential for ensuring audits are reliable and effective by adhering to established standards, with the audit committee providing oversight, IS auditors engaging in continuous education, and performance monitoring of the IS audit function. These practices help maintain the independence and objectivity of audits, enable auditors to stay updated on technological and regulatory changes, and ensure audits are continuously improved to meet their objectives.
  • AI is transforming the audit process by increasing efficiency, improving accuracy, and providing deeper insights through the rapid analysis of large datasets. While AI enhances the speed and effectiveness of audits and facilitates continuous monitoring, it is crucial to manage risks such as data privacy, algorithmic bias, and reliance on technology by ensuring data quality, maintaining human oversight, and regularly updating AI models.

In the next chapter, you will explore the enterprise governance of IT and related frameworks.

Exam Readiness Drill

Apart from mastering key concepts, strong test-taking skills under time pressure are essential for acing your certification exam. That’s why developing these abilities early in your learning journey is critical.

Exam readiness drills, using the free online practice resources provided with this book, help you progressively improve your time management and test-taking skills while reinforcing the key concepts you’ve learned.

HOW TO GET STARTED

  • Open the link or scan the QR code at the bottom of this page
  • If you have unlocked the practice resources, already log in to your registered account. If you haven’t, follow the instructions in Chapter 13 and come back to this page.
  • Once you log in, click the START button to start a quiz
  • We recommend attempting a quiz multiple times till you’re able to answer most of the questions correctly and well within the time limit.
  • You can use the following practice template to help you plan your attempts :

Table

The above drill is just an example. Design your drills based on your own goals and make the most out of the online quizzes accompanying this book.

First time accessing the online resources?Lock

You’ll need to unlock them through a one-time process. Head to Chapter 13 for instructions.

Left arrow icon Right arrow icon
Download code icon Download Code

Key benefits

  • Learn from a qualified CISA and bestselling instructor, Hemang Doshi
  • Aligned with the latest CISA exam objectives from the 28th edition of the Official Review Manual
  • Assess your exam readiness with over 1000 targeted practice test questions

Description

Following on from the success of its bestselling predecessor, this third edition of the CISA - Certified Information Systems Auditor Study Guide serves as your go-to resource for acing the CISA exam. Written by renowned CISA expert Hemang Doshi, this guide equips you with practical skills and in-depth knowledge to excel in information systems auditing, setting the foundation for a thriving career. Fully updated to align with the 28th edition of the CISA Official Review Manual, this guide covers the latest exam objectives and provides a deep dive into essential IT auditing areas, including IT governance, systems development, and asset protection. The book follows a structured, three-step approach to solidify your understanding. First, it breaks down the fundamentals with clear, concise explanations. Then, it highlights critical exam-focused points to ensure you concentrate on key areas. Finally, it challenges you with self-assessment questions that reflect the exam format, helping you assess your knowledge. Additionally, you’ll gain access to online resources, including mock exams, interactive flashcards, and invaluable exam tips, ensuring you’re fully prepared for the exam with unlimited practice opportunities. By the end of this guide, you’ll be ready to pass the CISA exam with confidence and advance your career in auditing.

Who is this book for?

This CISA study guide is for anyone with a non-technical background aspiring to achieve the CISA certification. It caters to those currently working in or seeking employment in IT audit and security management roles.

What you will learn

  • Conduct audits that adhere to globally accepted standards and frameworks
  • Identify and propose IT processes and control enhancements
  • Use data analytics tools to optimize audit effectiveness
  • Evaluate the efficiency of IT governance and management
  • Examine and implement various IT frameworks and standard
  • Manage effective audit reporting and communication
  • Assess evidence collection methods and forensic techniques
Estimated delivery fee Deliver to Malta

Premium delivery 7 - 10 business days

€32.95
(Includes tracking information)

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Oct 31, 2024
Length: 356 pages
Edition : 3rd
Language : English
ISBN-13 : 9781835882863
Category :

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Estimated delivery fee Deliver to Malta

Premium delivery 7 - 10 business days

€32.95
(Includes tracking information)

Product Details

Publication date : Oct 31, 2024
Length: 356 pages
Edition : 3rd
Language : English
ISBN-13 : 9781835882863
Category :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
Banner background image

Table of Contents

14 Chapters
Chapter 1: Audit Planning Chevron down icon Chevron up icon
Chapter 2: Audit Execution Chevron down icon Chevron up icon
Chapter 3: IT Governance Chevron down icon Chevron up icon
Chapter 4: IT Management Chevron down icon Chevron up icon
Chapter 5: Information Systems Acquisition and Development Chevron down icon Chevron up icon
Chapter 6: Information Systems Implementation Chevron down icon Chevron up icon
Chapter 7: Information Systems Operations Chevron down icon Chevron up icon
Chapter 8: Business Resilience Chevron down icon Chevron up icon
Chapter 9: Information Asset Security and Control Chevron down icon Chevron up icon
Chapter 10: Network Security and Control Chevron down icon Chevron up icon
Chapter 11: Public Key Cryptography and Other Emerging Technologies Chevron down icon Chevron up icon
Chapter 12: Security Event Management Chevron down icon Chevron up icon
Chapter 13: Accessing the Online Practice Resources Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you live in Turkey, and the declared value of your ordered items is over € 22, for you to receive a package, you will have to pay additional import tax of 18% which will be € 3.96 to the courier service.
How can I cancel my order? Chevron down icon Chevron up icon

Cancellation Policy for Published Printed Books:

You can cancel any order within 1 hour of placing the order. Simply contact customercare@packt.com with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at customercare@packt.com using the returns and refund process.

Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.

What is your returns and refunds policy? Chevron down icon Chevron up icon

Return Policy:

We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on customercare@packt.com with the order number and issue details as explained below:

  1. If you ordered (eBook, Video or Print Book) incorrectly or accidentally, please contact Customer Relations Team on customercare@packt.com within one hour of placing the order and we will replace/refund you the item cost.
  2. Sadly, if your eBook or Video file is faulty or a fault occurs during the eBook or Video being made available to you, i.e. during download then you should contact Customer Relations Team within 14 days of purchase on customercare@packt.com who will be able to resolve this issue for you.
  3. You will have a choice of replacement or refund of the problem items.(damaged, defective or incorrect)
  4. Once Customer Care Team confirms that you will be refunded, you should receive the refund within 10 to 12 working days.
  5. If you are only requesting a refund of one book from a multiple order, then we will refund you the appropriate single item.
  6. Where the items were shipped under a free shipping offer, there will be no shipping costs to refund.

On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on customercare@packt.com within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.

What tax is charged? Chevron down icon Chevron up icon

Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.

What payment methods can I use? Chevron down icon Chevron up icon

You can pay with the following card types:

  1. Visa Debit
  2. Visa Credit
  3. MasterCard
  4. PayPal
What is the delivery time and cost of print books? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela