Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
CISA – Certified Information Systems Auditor Study Guide

You're reading from   CISA – Certified Information Systems Auditor Study Guide Achieve CISA certification with practical examples and over 850 exam-oriented practice questions

Arrow left icon
Product type Paperback
Published in Jun 2023
Publisher Packt
ISBN-13 9781803248158
Length 330 pages
Edition 2nd Edition
Arrow right icon
Author (1):
Arrow left icon
Hemang Doshi Hemang Doshi
Author Profile Icon Hemang Doshi
Hemang Doshi
Arrow right icon
View More author details
Toc

Table of Contents (14) Chapters Close

Preface 1. Chapter 1: Audit Planning 2. Chapter 2: Audit Execution FREE CHAPTER 3. Chapter 3: IT Governance 4. Chapter 4: IT Management 5. Chapter 5: Information Systems Acquisition and Development 6. Chapter 6: Information Systems Implementation 7. Chapter 7: Information Systems Operations 8. Chapter 8: Business Resilience 9. Chapter 9: Information Asset Security and Control 10. Chapter 10: Network Security and Control 11. Chapter 11: Public Key Cryptography and Other Emerging Technologies 12. Chapter 12: Security Event Management 13. Other Books You May Enjoy

Audit Evidence Collection Techniques

Auditing is a process of providing an opinion (in the form of a written audit report) about the functions or processes under the scope of an audit. This audit opinion is based on the evidence obtained during the audit. Audit evidence is critical in the audit as audit opinions are based on reliability, competence, and objectivity. The objective and scope of an audit are the most significant factors when determining the extent of the data requirements.

Reliability of Evidence

An IS auditor should consider the sufficiency, competency, and reliability of the audit evidence. Evidence can be considered competent when it is valid and relevant. The following factors determine the reliability of audit evidence.

Independence of the Evidence Provider

The source of the evidence determines the reliability of the evidence. External evidence (obtained from a source outside the organization) is more reliable than evidence obtained from within the organization. A signed agreement with external parties is considered more reliable.

Qualifications of the Evidence Provider

The qualifications and experience of the evidence provider are major factors when determining the reliability of audit evidence. Information gathered from someone without relevant qualifications or experience may not be reliable.

Objectivity of the Evidence

Evidence based on judgment (involving subjectivity) is less reliable than objective evidence. Objective audit evidence does not have scope for different interpretations.

Timing of the Evidence

Audit evidence that is dynamic in nature (such as logs, files, and documents that are updated frequently) should be considered based on relevant timing.

The following figure highlights the evidence-related guidelines:

Figure 2.6: Evidence-related guidelines

Figure 2.6: Evidence-related guidelines

The rules shown in the preceding figure are very important from a CISA exam perspective. An IS auditor should also be aware of the best practices and techniques to gather evidence. These are discussed in the next section.

Evidence-Gathering Techniques

The following techniques are used by IS auditors to gather evidence during the audit process:

Factors

Descriptions

Review the organization’s structure

  • The IS auditor should review the organization’s structure and governance model.
  • This will help the auditor determine the control environment of the enterprise.

Review IS policies, processes, and standards

  • The audit team should review the IS policies, procedures, and standards and determine the effectiveness of the controls implemented.
  • The audit team should also determine whether IS policies and procedures are reviewed periodically and approved by a competent authority.

Observations

  • The IS auditor should observe the process to determine the following:
    • The skill and experience of the staff
    • The security awareness of the staff
    • The existence of segregation of duties (SoD)

Interview technique

  • The IS auditor should have the skill and competency to conduct interviews tactfully.
  • Interview questions should be designed in advance to ensure that all topics are covered.
  • To the greatest extent possible, interview questions should be open-ended to gain insight into the process.
  • The staff being interviewed should be made comfortable and encouraged to share information and areas of concern.

Re-performance

  • In re-performance, the IS auditor performs the activity that is originally performed by the staff of the organization.
  • Re-performance provides better evidence than other techniques.
  • It should be used when other methods do not provide sufficient assurance about control effectiveness.

Process walk-through

  • A process walk-through is done by the auditor to confirm the understanding of the policies and processes.

Table 2.8: Evidence-gathering factors and their descriptions

The evaluation of evidence is a subjective matter, and the auditor needs the relevant skills, experience, and qualifications to judge the relevance, sufficiency, and appropriateness of the audit evidence. In the case of inconclusive evidence, it is recommended to perform an additional test to confirm the accuracy of the audit findings.

Evidence should be evaluated based on the business environment and the complexity of the business processes. The following are some general guidelines for evidence evaluation:

  • In the case of unavailability of evidence, the auditor should report the relevant risk in the audit report.
  • Evidence obtained from a relevant third party is considered more reliable compared to internal evidence. An audit report by a qualified auditor is considered more reliable than a confirmation letter received from a third party.
  • Evidence collected by the audit team directly from the source is considered more reliable compared to evidence provided by business units.

Computer-Assisted Audit Techniques (CAATs) are the most effective auditing tools for computerized environments. The use of a CAAT ensures the reliability of audit evidence as data is directly collected, processed, and analyzed by the IS auditor.

Key Aspects from the CISA Exam Perspective

The following table covers important aspects from the CISA exam perspective:

CISA Questions

Possible Answers

What does the extent of the data requirements for the audit depend on?

The objective and scope of the audit.

What should audit findings be supported by?

Sufficient and appropriate audit evidence.

What is the most important reason to obtain sufficient audit evidence?

To provide a reasonable basis for drawing conclusions.

What is the most effective tool for obtaining audit evidence through digital data?

Computer-assisted auditing techniques.

What is the most important advantage of using CAATs for gathering audit evidence?

CAATs provide assurance about the reliability of the evidence collected.

What type of evidence is considered most reliable?

Evidence directly collected from the source by an IS auditor is considered to be the most reliable. The source of evidence should be independent.

What is the primary reason for a functional walk-through?

To understand the business process.

Table 2.9: Key aspects from the CISA exam perspective

You have been reading a chapter from
CISA – Certified Information Systems Auditor Study Guide - Second Edition
Published in: Jun 2023
Publisher: Packt
ISBN-13: 9781803248158
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at €18.99/month. Cancel anytime