Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
CISA – Certified Information Systems Auditor Study Guide
CISA – Certified Information Systems Auditor Study Guide

CISA – Certified Information Systems Auditor Study Guide: Aligned with the CISA Review Manual 2019 to help you audit, monitor, and assess information systems

eBook
€32.99 €47.99
Paperback
€59.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
Table of content icon View table of contents Preview book icon Preview Book

CISA – Certified Information Systems Auditor Study Guide

Audit Planning

An audit plan is a step-wise approach to be followed to conduct an audit. It helps to establish the overall audit process in an effective and efficient manner. An audit plan should be aligned with the audit charter of the organization. To plan an audit, the IS auditor is required to have a thorough understanding of business processes, business applications, and relevant controls. Audit planning includes both short- and long-term planning.

The following topics will be covered in this chapter:

  • The content of an audit charter
  • Audit planning
  • Business process applications and controls
  • Types of controls
  • Risk-based audit planning
  • Types of audit and assessment

The content of an audit charter

An internal audit is an independent activity and it should ideally be reported to a board-level committee. In most organizations, the internal audit function reports to the audit committee of the board. This helps to protect the independence of the audit function.

The independence of the audit function is ensured through a management-approved audit charter.

The following figure shows the features of an audit charter:

The CISA candidate should note the following features of the audit charter:

  • An audit charter is a formal document defining the internal audit's objective, authority, and responsibility. The audit charter covers the entire scope of audit activities.
  • An audit charter must be approved by top management.
  • An audit charter should not be changed too often and hence procedural aspects should not be included in it. Also, it is recommended to not include a detailed annual audit calendar including things such as planning, the allocation of resources, and other details such as audit fees, other expenses for the audit, and so on in an audit charter.
  • An audit charter should be reviewed annually to ensure that it is aligned with business objectives.

Essentially, an auditor's activities are impacted by the charter of audit department, which authorizes the accountability and responsibility of the audit department.

An audit charter includes the following:

  • The mission, purpose, and objective of the audit function
  • The scope of the audit function
  • The responsibilities of management
  • The responsibilities of internal auditors
  • The authorised personnel of the internal audit work

If an audit is outsourced to an audit firm, the objective of the audit, along with its detailed scope, should be incorporated in an audit engagement letter.

An audit charter forms the basis of structured audit planning. Activities relevant to audit planning are discussed in the next topic.

Key aspects from CISA exam perspective

The following table covers important aspects from the CISA exam perspective:

CISA questions

Possible answers

Who should approve the audit charter of an organization?

Senior management

What should the content of an audit charter be?

The scope, authority, and responsibilities of the audit function

What is the prime reason for review of an organization chart?

To understand the authority and responsibility of individuals

The actions of an IS auditor are primarily influenced by

Audit charter

Which document provides the overall authority for an auditor to perform an audit?

Audit charter

What is the primary reason for the audit function directly reporting to the audit committee?

The audit function must be independent of the business function and should have direct access to the audit committee of the board

Self-evaluation questions

  1. An audit charter should be approved by:
    1. Higher management
    2. The head of audit
    3. The Information Security department
    4. The project steering committee
  1. The audit charter should:
    1. Be frequently upgraded as per changes in technology and the audit profession
    2. Incorporate yearly audit planning
    3. Incorporate business continuity requirements
    4. Incorporate the scope, authority, and responsibility of the audit department
  2. The prime objective of an audit charter is to:
    1. Document the procedural aspect of an audit
    2. Document system and staff requirements to conduct the audit
    3. Document the ethics and code of conduct for the audit department
    4. Document the responsibility and authority of the audit department
  3. The document that delegates authority to the audit department is:
    1. The audit planner
    2. The audit charter
    3. The IT policy
    4. The risk assessment and treatment document
  4. The prime reason for the review of an organization chart is to:
    1. Get details related to the flow of data
    2. Analyze the department-wise employee ratio
    3. Understand the authority and responsibility of individuals
    4. Analyze department-wise IT assets
  5. An IS auditor would be primarily influenced by:
    1. The charter of the audit department
    2. The representation by management
    3. The structure of the organization
    4. The number of outsourcing arrangements
  6. Which of the following is the result of a risk management process?
    1. A corporate strategic plan
    2. A charter incorporating the audit policy
    3. Decisions regarding the security policy
    4. Outsourcing arrangements
  1. Which of the following should be included in an audit charter?
    1. Annual audit planning
    2. The audit function's reporting structure
    3. Guidelines for drafting audit reports
    4. An annual audit calendar
  2. The scope, authority, and responsibility of the IS audit function is defined by:
    1. The approved audit charter
    2. The head of the IT department
    3. The operational head of the department
    4. The head of audit
  3. Which of the following functions is governed by the audit charter?
    1. The information technology function
    2. The external audit function
    3. The internal audit function
    4. The information security function
  4. Which of the following covers the overall authority to perform an IS audit?
    1. The audit scope with goals and objectives
    2. Management's request to perform an audit
    3. The approved audit charter
    4. The approved audit schedule
  5. The audit function should be reported to the audit committee of the board because:
    1. The audit function has few resources
    2. The audit function must be independent of the business function and should have direct access to the audit committee of the board
    3. No other function should use the resources of the audit function
    4. The audit function can use their own authority to complete the audit on a priority basis.
  6. The best objective for the creation of an audit charter is to:
    1. Determine the audit resource requirements
    2. Document the mission and long-term strategy of the audit department
    3. Determine the code of conduct for the audit team
    4. Provide the authority and responsibility of the audit function

Audit planning

CISA aspirants should understand the following important terms before reading about the different aspects of audit planning:

  • Audit universe: An inventory of all the functions/processes/units under the organization.
  • Qualitative risk assessment: In a qualitative risk assessment, risk is assessed using qualitative parameters such as high, medium, and low.
  • Quantitative risk assessment: In a quantitative risk assessment, risk is assessed using numerical parameters and is quantified.
  • Risk factors: Factors that have an impact on risk. The presence of those factors increases the risk, whereas the absence of those factors decreases the risk.

All of the preceding elements are important prerequisites for the design of a structured audit plan. Next, let's discuss the benefits of a structured and well-designed audit plan.

Benefits of audit planning

Audit planning is the initial stage of the audit process. It helps to establish the overall audit strategy and the technique to complete the audit. Audit planning aids in making the audit process more structured and objective oriented.

An audit plan helps to identify and determine the following aspects:

  • The objectives of the audit
  • The scope of the audit
  • The periodicity of the audit
  • The members of the audit team
  • The method of audit

The following are some of the benefits of audit planning:

  • It helps the auditor to focus on high-risk areas
  • It helps in the identification of resource requirements to conduct the audit
  • It helps to estimate the budget for the audit
  • It helps to carry out audit work in a defined structure, which ultimately benefits the auditor as well as the auditee units

Selection criteria

An IS auditor should have a sufficient understanding about the various criteria for the selection of audit processes.

One of the criteria for audit planning is to have an audit universe. All of the significant processes of the enterprise's business should be included in the audit universe.

Each business process may undergo a qualitative or quantitative risk assessment by evaluating the risk in respect to relevant risk factors. Risk factors influence the frequency of the audit. After the risk is evaluated for each relevant factor, criteria may be defined to determine the risk of each process. The audit plan can then be designed to consider all the high-risk areas.

Reviewing audit planning

This audit plan should be reviewed and approved by top management. Generally, approval is obtained from the audit committee of the board.

The audit plan should be flexible enough to address the change in risk environment (that is, new regulatory requirements, changes in the market condition, and other risk factors).

The approved audit plan should be communicated promptly to the following groups:

  • Senior management
  • Business functions and other stakeholders
  • The internal audit team

Individual audit assignments

The next step after doing the overall annual planning is to plan individual audit assignments. The IS auditor must understand the overall environment under review. While planning an individual audit assignment, an IS auditor should consider the following:

  • Prior audit reports
  • Risk assessment reports
  • Regulatory requirements
  • Standard operating processes
  • Technological requirements

Like every other process, the audit process will also have some input and output. The following diagram will help you to understand input and output elements of the audit process:

Figure 1.3 – Audit process flow

For effective audit planning, it is of utmost importance that the IS auditor has a thorough understanding of business process applications and controls. The basic architecture of some of the commonly used applications and their associated risks are discussed in the next topic.

Key aspects from CISA exam perspective

The following figure covers important aspects from the CISA exam perspective:

CISA questions

Possible answers

What is the first step in risk-based audit planning?

To identify areas of high risk

What is a major benefit of risk-based audit planning?

The utilization of resources for high-risk areas

What is the first step to conduct a data center review?

To evaluate vulnerabilities and threats related to data center location

Self-evaluation questions

  1. Which of the following is the first step in risk-based audit planning?
    1. To identify the requirements of relevant stakeholders
    2. To identify high-risk processes in the company
    3. To identify the budget
    4. To identify the profit function
  2. Which of the following is a major advantage of a risk-based approach to audit planning?
    1. Advance communication of the audit plan
    2. Completion of the audit exercise within the allotted time and budget
    3. The collection of audit fees in advance
    4. Optimum use of audit resources for high-risk processes
  3. Which of the following should be the first exercise while reviewing data center security?
    1. The evaluation of the physical security arrangement
    2. The evaluation of vulnerabilities and threats to the data center location
    3. The evaluation of the business continuity arrangement for the data center
    4. The evaluation of the logical security arrangement
  4. Which of the following is the most important aspect of planning an audit?
    1. Identifying high-risk processes
    2. Identifying the experience and capabilities of audit staff
    3. Identifying control testing procedures of the audit
    4. Determining the audit schedule

Business process applications and controls

Working knowledge of the business environment and business objectives is required to plan a risk-based audit. The IS auditor should have a sufficient understanding of the overall architecture and technological specifications of the various applications used by the organization and the risks associated with those applications.

In understanding the issues and current risks facing the business, the IS auditor should focus on the areas that are most meaningful to management. To effectively audit business application systems, an IS auditor is required to gain a thorough understanding of the system under the scope of the audit.

The following are some of the widely used applications in business processes. The CISA candidate should be aware of the risks associated with each of them.

E-commerce

Let's start with understanding how e-commerce works:

  • Single-tier architecture runs on a single computer, that is, a client-based application
  • Two-tier architecture includes a client and server
  • Three-tier architecture consists of the following:
    • A presentation tier (for interaction with the user)
    • An application tier (for processing)
    • A data tier (for the database)

The risks are as follows:

  • A compromise of confidential user data
  • Data integrity issues due to unauthorized alterations
  • The system being unavailable may impact business continuity
  • The repudiation of transactions by either party

The IS auditor's roles are as follows:

  • To review the overall security architecture related to firewalls, encryption, networks, PKI to ensure confidentiality, integrity, availability, and the non-repudiation of e-commerce transactions
  • To review the process of log capturing and monitoring for e-commerce transactions
  • To review the incident management process
  • To review the effectiveness of the controls implemented for privacy laws
  • To review anti-malware controls
  • To review business continuity arrangements

Electronic Data Interchange (EDI)

Let's start with understanding how EDI works:

  • EDI is the online transfer of data or information between two enterprises.
  • EDI ensures an effective and efficient transfer platform without the use of paper.
  • The traditional exchange of paper documents between organizations has been replaced with EDI platforms.
  • EDI applications contain processing features such as transmission, translation, and the storage of transactions flowing between two enterprises.
  • An EDI setup can be either traditional EDI (batch transmission within each trading partner's computers) or web-based EDI (accessed through an internet service provider).

The risks are as follows:

  • One of the biggest risks applicable to EDI is transaction authorization.
  • Due to electronic interactions, no inherent authentication occurs.
  • There could be related uncertainty with a specific legal liability when we don't have a trading partner agreement.
  • Any performance-related issues with EDI applications could have a negative impact on both parties.
  • Other EDI-related risks include unauthorized access, data integrity and confidentiality, and the loss or duplication of EDI transactions.

The IS auditor's roles are as follows:

  • To determine the data's confidentiality, integrity, and authenticity, as well as the non-repudiation of transactions
  • To determine invalid transactions and data before they are uploaded to the system
  • To determine the accuracy, validity, and reasonableness of data
  • To validate and ensure the reconciliation of totals between the EDI system and the trading partner's system

The IS auditor should determine the use of some controls to validate the sender, as follows:

  1. The use of control fields within an EDI message
  2. The use of VAN sequential control numbers or reports
  3. Acknowledgment transactions with the sender

The auditor should also determine the availability of the following controls:

Control requirements for inbound transactions:

  • A log of each inbound transaction on receipt
  • Segment count totals built into the transaction set trailer
  • Checking digits to detect transposition and transcription errors

Control requirements for outbound transactions:

  • Transactions to be compared with the trading partner's profile
  • Proper segregation of duties for high-risk transactions
  • A log to be maintained for outbound transactions

EDI audits also involve the use of audit monitors (to capture EDI transactions) and expert systems (to evaluate transactions).

Point of Sale (POS)

Let's start with understanding how POS works:

  • Debit and credit card transactions are the most common examples of POS.
  • Data is captured at the time and place of sale.

The risks of this are as follows:

  • The risk of skimming, that is, the unauthorized capturing of card data with the purpose of duplicating the card
  • The risk of the unauthorized disclosure of PINs

The IS auditor's objectives are as follows:

  • To determine that data used for authentication (PIN/CVV) is not stored in the local POS system
  • To determine that the cardholder's data (either at rest or in transit) is encrypted

Electronic banking

Let's start with understanding how it works:

  • E-banking websites and mobile-based systems are integrated with the bank's core system to support automatic transactions without any manual intervention.
  • Automated processing improves processing speed and reduces opportunities for human error and fraud.
  • Electronic banking increases the dependence on internet and communication infrastructure.

Two of the risks of this are as follows:

  • Heavy dependence on internet service providers, telecommunication companies, and other technology firms
  • Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity

The IS auditor's objectives are as follows:

  • To determine the effectiveness of the governance and oversight of e-banking activities
  • To determine arrangements for the confidentiality, integrity, and availability of e-banking infrastructure
  • To determine the effectiveness of security controls with respect to authentication and the non-repudiation of electronic transactions
  • To review the effectiveness of the controls implemented for privacy laws
  • To review anti-malware controls
  • To review business continuity arrangements

Electronic funds transfer (EFT)

Let's start with understanding how EFT works:

  • Through EFT, money can be transferred from one account to another electronically, that is, without cheque writing and cash collection procedures.

Some of the risks are as follows:

  • Heavy dependence on internet service providers, telecommunication companies, and other technology firms
  • Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity

The IS auditor's objectives are as follows:

  • To determine the availability of two-factor authentication for secure transactions.
  • To determine that systems and communication channels have undergone appropriate security testing.
  • To determine that transaction data (either at rest or in transit) is encrypted.
  • To determine the effectiveness of controls on data transmission.
  • To review security arrangements for the integrity of switch operations. An EFT switch connects with all equipment in the network.
  • To review the log capturing and monitoring process of EFT transactions. In the absence of paper documents, it is important to have an alternate audit trail for each transaction.

Image processing

Let's start with understanding how it works:

  • An image processing system processes, stores, and retrieves image data.
  • An image processing system requires huge amounts of storage resources and strong processing power for scanning, compression, displays, and printing.
  • Such systems are capable of identifying colors and shades.
  • The use of image processing (in place of paper documents) can result in increased productivity, the immediate retrieval of documents, enhanced control over document storage, and efficient disaster recovery procedures.

Some of the risks are as follows:

  • Implementation without appropriate planning and testing may result in system failure.
  • The workflow system may need to be completely redesigned to integrate with the image processing system.
  • Traditional controls and audit processes may not be applicable to image processing systems. New controls must be designed for automated processes.
  • Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity.

The IS auditor's objectives are as follows:

  • To determine the effectiveness of controls on the inputs, processing, and outputs of image processing systems
  • To determine the reliability of the scanners used for image processing
  • To review the retention process for original documents
  • To determine that original documents are retained at least until a good image has been captured
  • To review the confidentiality, integrity, and availability arrangements of image processing systems
  • To review the training arrangements for employees to ensure that the processes of image scanning and storing are maintained as per the quality control matrix

Artificial intelligence and expert systems

Artificial intelligence and expert systems do the following:

  • Capture and utilize the knowledge and experience of individuals
  • Improve performance and productivity
  • Automate skilled processes without manual intervention

A knowledge base in AI contains information about a particular subject and rules for interpreting that information. The components of a knowledge base include the following:

  • Decision trees: Questions to lead the user through a series of choices
  • Rules: Rules that use "if" and "then" conditions
  • Semantic nets: A knowledge base that conveys meaning
  • Knowledge interface: Stores expert-level knowledge
  • Data interface: Stores data for analysis and decision making

The risks are as follows:

  • Incorrect decisions or actions performed by the system due to incorrect assumptions, formulas, or databases in the system
  • Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity

The IS auditor's roles are as follows:

  • To assess the applicability of AI in various business processes and determine the associated potential risks
  • To review adherence to documented policies and procedures
  • To review the appropriateness of the assumptions, formulas, and decision logic built into the system
  • To review the change management process for updating the system
  • To review the security arrangements to maintain the confidentiality, integrity, and availability of the system

Once the IS auditor understands the basic architecture of the business applications and associated risks, the next step is to understand the appropriateness and effectiveness of the implemented controls to mitigate the risks.

Key aspects from CISA exam perspective

The following covers the important aspects from a CISA exam perspective:

CISA questions

Possible answer

What is the major risk of EDI transactions?

The absence of agreement (in the absence of a trading partner agreement, there could be uncertainty related to specific legal liability).

What is the objective of encryption?

To ensure the integrity and confidentiality of transactions.

How are inbound transactions controlled in an EDI environment?

Inbound transactions are controlled via logs of the receipt of inbound transactions, the use of segment count totals, and the use of check digits to detect transposition and transcription errors.

What is the objective of key verification control?

Key verification is a method where data is entered a second time and compared with the initial data entry to ensure that the data entered is correct. This is generally used in EFT transactions, where another employee re-enters the same data to perform this check before any money is transferred.

What is the objective of non-repudiation?

Nom-repudiation ensures that a transaction is enforceable and that the claimed sender cannot later deny generating and sending the message.

What is the most important component of the artificial intelligence/expert system area?

Knowledge base (The knowledge base contains specific information or fact patterns associated with a particular subject matter and the rules for interpreting these facts; therefore, strict access control should be implemented and monitored to ensure the integrity of the decision rules)

Self-evaluation questions

  1. Which of the following is the area of greatest concern in an EDI process?
    1. No logging and monitoring of EDI transactions.
    2. Senior management has not approved the EDI process.
    3. The contract for a trading partner has not been entered.
    4. EDI using a dedicated channel for communication.
  2. Encryption helps in achieving which of the following objectives in an EDI environment?
    1. Ensuring the confidentiality and integrity of transactions
    2. Detecting invalid transactions
    3. Validating and ensuring the reconciliation of totals between the EDI system and a trading partner system
    4. Providing functional acknowledgment to the sender
  3. In an EDI environment, which of the following procedures ensures the completeness of an inbound transaction?
    1. The process for transaction authentication
    2. The build segment count coming to the transaction set trailer of the sender
    3. An audit trail
    4. The segregation of duties for high-risk transactions
  1. In which of the following processes are details entered by one employee re-entered by another employee to check their accuracy?
    1. Reasonableness check
    2. Key verification
    3. Control total
    4. Completeness check
  2. Which of the following is used in an e-commerce application to ensure that a transaction is enforceable?
    1. Access control
    2. Authentication
    3. Encryption
    4. Non-repudiation

Types of controls

An internal control is a process that is used to safeguard the assets of an organization. Assets can include systems, data, people, hardware, or the reputation of the organization. Internal controls help in achieving the objectives of the organization by mitigating various risks.

Internal controls are implemented through policies, procedures, practices, and organizational structures to address risks. Internal controls provide reasonable assurance to management about the achievement of business objectives. Through internal controls, risk events are prevented or detected and corrected.

Top management is responsible for implementing a culture that supports efficient and effective internal control processes.

Effective controls in an organization can be categorized into the following types:

Let's discuss the control types in detail.

Preventive controls

Preventive controls are designed to be implemented in such a way that prevents a threat event and thus avoids any potential impact of that threat event.

Examples of preventive controls include the following:

  • The use of qualified personnel
  • The segregation of duties
  • The use of SOPs to prevent errors
  • Transaction authorization procedures
  • Edit checks
  • Access control procedures
  • Firewalls
  • Physical barriers

Detective controls

Detective controls are designed to detect a threat event once that event has occurred. Detective controls aim to reduce the impact of such events.

Examples of detective controls include the following:

  • Internal audits and other reviews
  • Log monitoring
  • Checkpoints in production jobs
  • Echo controls in telecommunications
  • Error messages over tape labels
  • Variance analysis
  • Quality assurance

Corrective controls

Corrective controls are designed to minimize the impact of a threat event once it has occurred and help in restoring a business to normal operations.

Examples of corrective controls include the following:

  • Business continuity planning
  • Disaster recovery planning
  • Incident response planning
  • Backup procedures

Deterrent controls

The purpose of a deterrent control is to give a warning signal to deter a threat event.

Examples of deterrent controls include the following:

  • CCTV cameras or "under surveillance" signs
  • Warning signs

The difference between preventive and deterrent controls

For the CISA exam, it is important to understand the difference between preventive and deterrent controls. When a preventive control is implemented, an intruder is prevented from performing an act. They do not have a choice in whether or not to perform the act.

When a deterrent control is implemented, the intruder is being given a warning. Here, the intruder has a choice: either to act as per the warning or ignore the warning.

A locked door to a room is a preventive control. Intruders cannot go through the door. On the other hand, just a warning sign that says "No Entry" is a deterrent control. Intruders can ignore the warning and enter the room.

Apart from the controls we have covered thus far, CISA candidates should also understand compensating controls. It should be noted that the absence of one control can be compensated for by having another strong control.

Compensating controls

Compensating controls are alternate measures that are employed to ensure that weaknesses in a system are not exploited. In many cases, a strong control in one area can compensate for a weakness in another area.

For example, in small organizations, the segregation of duties may not always be feasible. In such cases, compensatory controls such as reviews of logs should be implemented.

Similarly, some organizations may prefer to have alternate security measures in place of encryption.

Control objectives

A control objective is a reason why a control is implemented. Control objectives are linked to business objectives.

A control objective generally addresses the following:

  • The effectiveness and efficiency of operational processes. For example, preventive controls attempt to prevent invalid transactions from being processed and assets from being misappropriated. However, detective controls have the objective of detecting errors or fraud that could result in the misstatement of financial statements.
  • Adherence to regulatory requirements.
  • The protection of assets.

It is advisable to document objectives for each and every control. Periodic reviews and monitoring of controls are required to validate results against these objectives.

Control measures

Control measures are implemented to achieve control objectives. Control measures are activities that are taken to prevent, eliminate, or minimize the risk of threat occurrence.

Key aspects from CISA exam perspective

The following table covers the important aspects from a CISA exam perspective:

CISA questions

Possible answer

Segregation of duties is an example of which type of control?

Preventive control

Controls that enable a risk or deficiency to be corrected before a loss occurs are known as what?

Corrective control

Controls that directly mitigate a risk or lack of controls directly acting upon a risk are know as what?

Compensating control

Self-evaluation questions

  1. Controls that are designed to prevent omissions, errors, or negative acts from occurring are which kind of controls?
    1. Preventive controls
    2. Detective controls
    3. Corrective controls
    4. Compensating controls
  1. What are controls that are put in place to indicate or detect an error?
    1. Preventive controls
    2. Detective controls
    3. Corrective controls
    4. Deterrent controls
  2. Which of the following is the segregation of duties an example of?
    1. Preventive control
    2. Detective control
    3. Corrective control
    4. Deterrent control
  3. What is the process of using well-designed documentation to prevent errors an example of?
    1. Preventive control
    2. Detective control
    3. Corrective control
    4. Deterrent control
  4. What kind of control is a control that enables a deficiency or another irregularity to be corrected before a loss occurs?
    1. Preventive control
    2. Detective control
    3. Corrective control
    4. Deterrent control
  5. Utilizing a service of only qualified resource is an example of:
    1. Preventive control
    2. Detective control
    3. Corrective control
    4. Internal control
  6. A check subroutine that identifies an error and makes a correction before enabling the process to continue is an example of what kind of control?
    1. Preventive control
    2. Detective control
    3. Corrective control
    4. Deterrent control
  1. Barriers or warning signs are examples of what kind of control?
    1. Preventive control
    2. Detective control
    3. Corrective control
    4. Deterrent control
  2. An "echo" message in a telecommunications protocol is an example of what kind of control?
    1. Preventive control
    2. Detective control
    3. Corrective control
    4. Compensating control
  3. Checkpoints in a production job are examples of what kind of control?
    1. Preventive control
    2. Detective control
    3. Corrective control
    4. Compensating control
  4. Controls that minimize the impact of a threat are what kind of controls?
    1. Preventive controls
    2. Detective controls
    3. Corrective controls
    4. Compensating controls
  5. Controls that remedy problems observed by means of detective controls are what kind of controls?
    1. Preventive controls
    2. Detective controls
    3. Corrective controls
    4. Compensating controls
  6. Controls that indirectly address a risk or address the absence of controls that would otherwise directly act upon that risk are what kind of controls?
    1. Preventive controls
    2. Detective controls
    3. Corrective controls
    4. Compensating controls
  1. Controls that predict potential problems before their occurrence are what kind of controls?
    1. Preventive controls
    2. Detective controls
    3. Corrective controls
    4. Compensating controls
  2. The requirement of biometric access for physical facilities is an example of what kind of control?
    1. Preventive control
    2. Detective control
    3. Corrective control
    4. Deterrent control
  3. Which of the following risks represents a process failure to detect a serious error?
    1. Detective risk
    2. Inherent risk
    3. Sampling risk
    4. Control risk
  4. Which of the following statements best describes detective controls and corrective controls?
    1. Both controls can prevent the occurrence of errors
    2. Detective controls are used to avoid financial loss and corrective controls are used to avoid operational risks
    3. Detective controls are used as a deterrent check and corrective controls are used to make management aware that an error has occurred
    4. Detective controls are used to identify that an error has occurred and corrective controls fix a problem before a loss occurs
  5. Why are control objectives defined in an audit program?
    1. To give the auditor an overview for control testing
    2. To restrict the auditor to testing only documented controls
    3. To prevent management from altering the scope of the audit
    4. To help the auditor to plan for the resource requirements

Risk-based audit planning

CISA aspirants are expected to understand the following aspects of risk-based audit planning:

  • What is the risk?
  • Vulnerabilities and threats
  • Inherent risk and residual risk
  • The advantages of risk-based audit planning
  • Audit risk
  • The steps of the risk-based audit approach
  • The steps of risk assessment
  • The four methodologies for risk treatment

What is risk?

Let's look at some of the widely accepted definitions of risk.

Most of the CISA questions are framed around Risk. CISA candidates should have a thorough understanding of the term risk. Multiple definitions/formulas are available for risk. If you look carefully, every definition speaks either directly or indirectly about two terms: probability and impact.

Some of the more commonly used definitions of risk are presented here:

  • ERM-COSO defines risk as "Potential events that may impact the entity."
  • The Oxford English Dictionary defines risk as "The probability of something happening multiplied by the resulting cost or benefit if it does."
  • Business Dictionary.com defines risk as "The probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preventive action."
  • ISO 31000 defines risk as "The effect of uncertainty on objectives."

In simple words, the 'risk' is the product of probability and impact:

Probability and impact are equally important when identifying risk. For example, say that the probability or likelihood of a product being damaged is very high, with a value of “1”; however, say that product barely costs anything and so the impact is “0” even if the product is damaged.

So, the risk in this scenario would be calculated as follows:

Risk = P * I

Risk = 1 * 0 = 0

Understanding vulnerability and threat

Another way of understanding risk is by understanding the notion of vulnerability and threat. In simple terms, a vulnerability is a weakness and a threat is something that can exploit said weakness. Again, both elements (V and T) should be present in order to constitute a risk.

There is no threat to a useless system, even if it is highly vulnerable. As such, the risk for that system would be nil in spite of the high vulnerability:

Vulnerability

Threat

A weakness in a system.

Generally, a vulnerability can be controlled by the organization.

An element that exploits a weakness.

Generally, a threat is not in the control of the organization.

Vulnerabilities are mostly internal elements.

Threats are mostly external elements.

Examples include weak coding, missing anti-virus, weak access control, and others.

Examples include hackers, malware, criminals, natural disasters, and so on.

There are various definitions and formulas for risks. However, for the CISA certification, please remember only the following two formulas:

Risk = Probability*Impact

Risk = A*V*T

In the second formula, A, V, and T are the value of, vulnerability of, and threats to assets, respectively.

Understanding inherent risk and residual risk

A CISA candidate should understand the difference between inherent risk and residual risk:

Inherent risk

Residual risk

The risk that an activity poses, excluding any controls or mitigating factors

The risk that remains after taking controls into account

Gross risk – that is, the risk before controls are applied

Net risk – that is, the risk after controls are applied

The following is the formula for residual risk:

Residual Risk = Inherent Risk - Control

Advantages of risk-based audit planning

Risk-based audit planning is essential to determine an audit's scope (the areas/processes/assets to be audited) effectively. It helps to deploy audit resources to areas within an organization that are subject to the greatest risk.

The following are the advantages of risk-based audit planning:

  • Effective risk-based auditing reduces the audit risk that arises during an audit.
  • Risk-based auditing is a proactive approach that helps in identifying issues at an early stage.
  • One of the major factors in a risk assessment is compliance with contractual and legal requirements. Risk-based auditing helps an organization to identify any major deviation from contractual and legal requirements. This improves compliance awareness throughout the organization.
  • Risk-based auditing promotes preventive controls over reactive measures.
  • Risk-based auditing helps to align internal audit activities with the risk management practices of the organization.

Audit risk

Audit risk refers to the risk that an auditor may not be able to detect material errors during the course of an audit. Audit risk is influenced by inherent risk, control risk, and detection risk. The following list describes each of these risks:

  • Inherent risk: This refers to risk that exists before applying a control.
  • Control risk: This refers to risk that internal controls fail to prevent or detect.
  • Detection risk: This refers to risk that internal audits fail to prevent or detect.

The following figure explains the relationship between all three risks:

The following is the formulae for calculating the audit risk:

Audit Risk = Inherent Risk X Control Risk x Detection Risk

An IS auditor should have sound knowledge of the audit risk when planning auditing activities. Some ways to minimize audit risk are listed here:

  • Conduct risk-based audit planning
  • Review the internal control system
  • Select appropriate statistical sampling
  • Assess the materiality of processes/systems in the audit scope

It is the experience and expertise of the auditor that minimizes audit risk. However, it must be noted that the auditor is a watchdog and not a bloodhound.

Risk-based auditing approach

In a risk-based auditing approach, it is important to understand the steps to be performed by the IS auditor. The following structured approach will help to minimize the audit risk and provide assurance about the state of affairs of the auditee organization:

  1. Step 1 – Acquire pre-audit requirements:
    • Knowledge about industry and regulatory requirements
    • Knowledge about applicable risk to the concerned business
    • Prior audit results
  2. Step 2 – Obtain information about internal controls:
    • Get knowledge about the control environment and procedures
    • Understand control risks
    • Understand detection risks
  1. Step 3 – Conduct compliance test:
    • Identify the controls to be tested
    • Determine the effectiveness of the controls
  2. Step 4 – Conduct a substantive test:
    • Identify the process for the substantive test
    • See that the substantive test includes analytical procedures, detail tests of account balances, and other procedures

Risk assessments

A risk assessment includes the following steps:

Risk assessments should be conducted at regular intervals to account for changes in risk factors. The risk assessment process has an iterative life cycle. Risk assessments should be performed methodically and the outputs should be comparable and reproducible.

Also, it is important to determine the risk appetite of the organization. Risk appetite helps to prioritize various risks for mitigation.

Risk response methodology

Risk response is the process of dealing with a risk to minimize its impact. It is a very important step in the risk management process. Here are the four main risk response methodologies:

  • Risk mitigation/risk reduction: Take some action to mitigate/reduce the risk.
  • Risk avoidance: Change the strategy or business process to avoid the risk.
  • Risk acceptance: Decide to accept the risk.
  • Risk transfer: Transfer the risk to a third party. Insurance is the best example.

The risk culture and risk appetite of the organization in question determines the risk response method. Of the preceding responses, the most widely used response is risk mitigation by implementing some level of controls.

Let's understand the preceding risk response methodologies with a practical example. Say that a meteorological department has forecasted heavy rain during the day and we need to attend CISA lectures. The risk of rain can be handled in the following manner:

  • The majority of candidates will try to mitigate the risk of rain by arranging for an umbrella/raincoat to safeguard them from potential rain (mitigation of risk).
  • Some courageous candidates won't worry about carrying an umbrella/raincoat (risk acceptance).
  • Some candidates, such as me, will not attend classes (risk avoidance).

It's not always feasible to mitigate all the risk at an organizational level. Risk-free enterprise is an illusion.

You cannot run a business without taking risks. Risk management is the process of determining whether the amount of risk taken by an organization is in accordance with the organization's capabilities and needs.

Top-down and bottom-up approaches to policy development

Let's understand the difference between the top-down and bottom-up approaches to policy development.

The top-down approach

In the top-down approach, a policy is developed and designed from a senior management perspective. In a top-down approach, policies are developed and aligned with business objectives. Involvement of senior management in designing the risk scenario is of the utmost importance. One advantage of the top-down approach to developing organizational policies is that it ensures consistency across the organization.

The bottom-up approach

In the bottom-up approach, polices are designed and developed from the process owner's/employee's perspective. The bottom-up approach begins by defining operational-level requirements and policies. The bottom-up approach is derived from and implemented on the basis of the results of risk assessments.

The best approach

An organization should make use of both the top-down approach and the bottom-up approach when developing organizational policies. They are complementary to each other and should be used simultaneously. In a top-down approach, major risks to business objectives are addressed, whereas in the bottom-up approach, process-level risks are addressed.

Key aspects from CISA exam perspective

The following table covers the important aspects from the CISA exam perspective:

CISA questions

Possible answers

The most important step in a risk assessment is to identify

Threats and vulnerabilities

In risk-based audit planning, an IS auditor's first step is to identify what?

High risk areas

Once threats and vulnerabilities are identified, what should be the next step?

Identify and evaluate existing controls

What is the advantage of risk based audit planning?

Resources can be utilized for high risk areas

What does the level of protection of information assets depend on?

Criticality of assets

What is risk that is influenced by the actions of an auditor known as?

Detection risk

What is audit risk?

Audit risk is the sum total of inherent risk, control risk, and detection risk

What is risk the product of?

Probability and impact

What are the results of risk management processes used for?

Designing the control

Whose responsibility is the management of risk to an acceptable level?

Senior management

What is the absence of proper security measures known as?

Vulnerability

What is the advantage of the bottom-up approach for the development of organizational policies?

Policies are created on the basis of risk analysis

What is risk before controls are applied known as?

Inherent risk/gross risk (after the implementation of controls, it is known as residual risk/net risk)

Self-evaluation questions

  1. Which of the following is the most critical aspect of a risk analysis?
    1. Identifying competitors
    2. Identifying the existing controls
    3. Identifying vulnerabilities
    4. Identifying the reporting matrix of the organization
  2. What is the initial step in risk-focused audit planning?
    1. Identifying the role and responsibility of the relevant function
    2. Identifying high-risk processes
    3. Identifying the budget
    4. Identifying the profit function
  3. What is the main objective of conducting a risk assessment?
    1. To determine the segregation of duties for critical functions
    2. To ensure that critical vulnerabilities and threats are recognized
    3. To ensure that regulations are complied with
    4. To ensure business profitability
  4. What should be the next step of an IS auditor after identifying threats and vulnerabilities in a business process?
    1. Identifying the relevant process owner
    2. Identifying the relevant information assets
    3. Reporting the threat and its impact to the audit committee
    4. Identifying and analyzing the current controls
  1. Which of the following is the main benefit of risk-based audit planning?
    1. The communication of audit planning to the client in advance
    2. The completion of the audit activity within the allocated budget constraints
    3. The use of the latest auditing technology
    4. The focus on high-risk areas
  2. Which of the following should be the primary focus when considering the level of security of an IT asset?
    1. The criticality of the IT asset
    2. The value of IT the asset
    3. The owner of IT the asset
    4. The business continuity arrangement for the IT asset
  1. The actions of the IS auditor is most likely to influence which of the following risks?
    1. Inherent
    2. Detection
    3. Control
    4. Business
  2. What is the risk of an inadequate audit methodology known as?
    1. The procedural aspect
    2. Control risk
    3. Detection risk
    4. Residual risk
  3. Particular threat of an overall business risk indicated as:
    1. The product of the probability and impact
    2. The probability of threat realization
    3. The valuation of the impact
    4. The valuation of the risk management team
  4. Which of the following is the first step in performing risk assessments of information systems?
    1. Reviewing the appropriateness of existing controls
    2. B. Reviewing the effectiveness of existing controls
    3. Reviewing the asset-related risk surveillance mechanism
    4. Reviewing the threats and vulnerabilities impacting the assets
  1. What is the first step in evaluating the security controls of a data center?
    1. Determining the physical security arrangement
    2. Evaluating the threats and vulnerabilities applicable to the data center site
    3. Evaluating the hiring process of security staff
    4. Determining the logical security arrangements
  2. What does the classification of information assets help to ensure?
    1. The protection of all IT assets
    2. That a fundamental level of security is implemented irrespective of the value of assets
    3. That information assets are subject to suitable levels of protection
    4. That only critical IT assets are protected
  1. Which of the following should be performed first in a risk-focused audit?
    1. Analyzing inherent risk
    2. Analyzing residual risk
    3. Analyzing the controls assessment
    4. Analyzing the substantive assessment
  2. In a risk-focused audit, which of the following is the most critical step?
    1. Determining the high-risk processes
    2. Determining the capability of audit resources
    3. Determining the audit procedure
    4. Determining the audit schedule
  3. Which of the following options best describes the process of assessing a risk?
    1. Subject-oriented
    2. Object-oriented
    3. Mathematics-oriented
    4. Statistics-oriented
  4. What is the outcome of a risk assessment exercise utilized for?
    1. Estimating profits
    2. Calculating the ROI
    3. Implementing relevant controls
    4. Conducting user acceptance testing
  1. With whom does the responsibility of managing risk to an acceptable level rest?
    1. The risk management team
    2. Senior business management
    3. The chief information officer
    4. The chief security officer
  2. Which of the following is a major factor in the evaluation of IT risks?
    1. Finding vulnerabilities and threats that are applicable to IT assets
    2. Analyzing loss expectancy
    3. Benchmarking with industry
    4. Analyzing previous audit reports
  1. An IS auditor has determined a few vulnerabilities in a critical application. What should their next step be?
    1. Reporting the risk to the audit committee immediately
    2. Determining a system development methodology
    3. Identifying threats and their likelihood of occurrence
    4. Recommending the development of a new system
  2. What does a lack of appropriate control measures indicate?
    1. Threat
    2. Magnitude of impact
    3. Probability of occurrence
    4. Vulnerability
  3. Which of the following is the first step in a risk management program?
    1. Determining a vulnerability
    2. Determining existing controls
    3. Identifying assets
    4. Conducting a gap analysis
  4. What is the advantage of the bottom-up approach to the development of enterprise policies?
    1. They cover the whole organization.
    2. They are created on the basis of risk analysis.
    3. They are reviewed by top management.
    4. They support consistency of procedure.
  1. The mitigation of risk can be done through which of the following?
    1. Controls
    2. Outsourcing
    3. Audit and certification
    4. Service level agreements (SLAs)
  2. The most important factor when implementing controls is ensuring that the control does which of the following?
    1. Helps to mitigate risk
    2. Does not impact productivity
    3. Is cost effective
    4. Is automated
  1. The absence of internal control mechanisms is known as what?
    1. Inherent risk
    2. Control risk
    3. Detection risk
    4. Correction risk
  2. Which of the following represents the risk that the controls will not prevent, correct, or detect errors in a timely manner?
    1. Inherent risk
    2. Control risk
    3. Detection risk
    4. Correction risk
  3. What is the primary consideration when evaluating the acceptable level of risk?
    1. The acceptance of risk by higher management
    2. That not all risks need to be addressed
    3. That all relevant risks must be recognized and documented for analysis
    4. The involvement of line management in risk analysis
  4. What is the best approach when focusing an audit on a high-risk area?
    1. Perform the audit; the control failures will identify the areas of highest risk
    2. Perform the audit and then perform a risk assessment
    3. Perform a risk assessment first and then concentrate control tests in the high-risk areas
    4. Increase sampling rates in high-risk areas
  1. In a risk-based audit approach, which of the following is the least relevant to audit planning?
    1. The adoption of a mature technology by the organization
    2. The risk culture and risk awareness of the organization
    3. The legal regulatory impact
    4. Previous audit findings

Types of audit and assessment

CISA candidates are expected to have a basic understanding of the various types of audits that can be performed, internally or externally, and the basic audit procedures associated with each of them. These are as follows:

Type of Audit

Description

IS audit

An IS audit is conducted to evaluate and determine whether an information system and any related infrastructure is adequately safeguarded and protected to maintain confidentiality, integrity, and availability.

Compliance audit

CA or more specifically, a compliance audit is conducted to evaluate and determine whether specific regulatory requirements are being complied with.

Financial audit

A financial audit is conducted to evaluate and determine the accuracy of financial reporting.

A financial audit involves a detailed and substantive testing approach.

Operational audit

An operational audit is conducted to evaluate and determine the accuracy of an internal control system.

It is designed to assess issues related to the efficiency of operational productivity within an organization.

Integrated audit

Here, different types of audit are integrated to combine financial, operational, and other types of audits to form a multi-faceted audit.

An integrated audit is performed to assess the overall objectives to safeguard an asset's efficiency and compliance.

It can be performed both by internal auditors or external auditors.

An integrated audit includes compliance tests of internal controls.

Specialized audit

A specialized audit includes the following:

  • A third-party service audit
  • A fraud audit
  • A forensic audit

Computer forensic audit

A computer forensic audit includes the analysis of electronic devices.

An IS auditor can help in performing forensic investigations and conduct an audit of the system to ensure compliance.

Functional audit

A functional audit is conducted to evaluate and determine the accuracy of software functionality.

A functional audit is conducted prior to software implementation.

The following diagram shows various audits combined to form an integrated audit, giving an overall view of an organization's functioning:

As you can see, integrated audit tests the internal controls of an organization. It can be performed either by the internal audit team or an external audit firm.

Self-evaluation questions

  1. Which audit is designed to collect and evaluate an information system and any related resources?
    1. Compliance audit
    2. Operational audit
    3. IS audit
    4. Specialized audit
  1. Which audit involves specific tests of controls to demonstrate adherence to specific regulatory or industry standards?
    1. Operational audit
    2. Compliance audit
    3. Integrated audit
    4. Financial audit
  1. Which audit assesses the overall objectives within an organization in terms of safeguarding an asset's efficiency and compliance?
    1. Operational audit
    2. Compliance audit
    3. Integrated audit
    4. Financial audit
  2. Which audit involves the independent evaluation of software products, verifying it's configuration items?
    1. Functional audit
    2. Integrated audit
    3. Specialized audit
    4. Compliance audit
  3. In which audit can an IS auditor assist a forensic specialist in performing forensic investigations and conduct an audit of the system to ensure compliance?
    1. Specialized audit
    2. Integrated audit
    3. IS audit
    4. Computer forensic audit
  4. Which audit is designed to assess issues related to the efficiency of operational productivity within an organization?
    1. Administrative audit
    2. Integrated audit
    3. Compliance audit
    4. Operational audit

Summary

In this chapter, we discussed various audit processes, standards, guidelines, practices, and techniques that an IS auditor is expected to use during audit assignments. We learned about risk-based audit planning and its advantages. The most important benefit of audit planning is that it helps the auditor to focus on high-risk areas. We also discussed the major risks associated with business applications.

In the next chapter, we will discuss and learn about audit execution, which includes project management techniques, sampling methodology, audit evidence collection techniques, and other aspects of conducting an audit.

Assessments

In this section, you will find the answers to the assessment questions.

Content of the audit charter

  1. Answer: A. Higher management
    Explanation: Ideally, top management should approve the audit charter. The approved audit charter is the basis on which the chief audit officer carries out audit processes. The IS department and the IT steering committee should not be involved in the preparation of the audit charter.
  2. Answer: D. Outline the overall authority, scope, and responsibilities of the audit function.
    Explanation: The overall scope, authority, and responsibility of the audit function is outlined in an audit charter. The charter should not be frequently modified. The audit charter will not cover procedural aspects such as the audit calendar and resource allocation. Business continuity arrangements should ideally be incorporated in the BCP document, and it should not form part of the audit charter.
  3. Answer: D. To prescribe the authority and responsibilities of the audit department
    Explanation: The main purpose of the audit charter is to define the auditor's roles and responsibilities. The audit charter should empower auditors to perform their work. Procedural aspects such as audit procedure, resource allocation, and ethical standards should not be a part of the audit charter.
  1. Answer: B. The audit charter
    The audit charter includes the overall scope, responsibility, and authority of the audit department. Audit planning is included in the audit calendar. The risk assessment and treatment plan should contain details of identified risks and their mitigating controls. The compendium of audit observations contains a summary of critical audit observations for top management.
  2. Answer: C. To understand the authority and responsibility of individuals
    Explanation: An organization chart is used to derive details about the authority and responsibility of relevant functions in the organization. It will help to understand whether proper segregation of duties exists.
  1. Answer: A. The audit charter
    Explanation: The overall scope, authority, and responsibility of the audit department is outlined in the audit charter. Primarily, the actions of the audit team will be influenced and guided by this charter.
  2. Answer. C. Security policy decisions
    Explanation: On the basis of the outcome of the risk management process, the organization determines the security requirements. Other choices are not directly impacted by the results of the risk management process.
  3. Answer: B. The audit function's reporting structure
    Explanation: The overall scope, authority, and responsibility of the audit department is outlined in the audit charter. It should also document the reporting matrix of the audit function. Generally, the head of the audit reports to an audit committee.
  4. Answer: A. The approved audit charter
    Explanation: The overall scope, authority, and responsibility of the internal audit department is outlined in the audit charter. The audit charter should be approved by top management/members of the board. The other options are not correct.
  5. Answer: C. The internal audit function
    Explanation: The overall scope, authority, and responsibility of the internal audit department is outlined in the audit charter. The authority, scope, and responsibilities of the external audit are governed by the engagement letter.
  6. Answer: C. The approved audit charter
    Explanation: An internal audit charter is an official document that comprises the internal audit department's objectives, authority, responsibilities, and delegation of authority.
  1. Answer. B. The audit function must be independent of the business function and should have direct access to the board audit committee.
    Explanation: The audit function should be independent of influence and bias. Having direct and immediate access to the audit committee can enable auditors to raise major irregularities and concerns without any influence from business functions.
  2. Answer. D. To provide a clear mandate in terms of authority and responsibilities for performing the audit function
    Explanation: The charter's main purpose is to define the auditor's roles and responsibilities. The audit charter empowers the audit function to carry out their work. The other options are not relevant to this purpose.

Audit planning

  1. Answer: B. To identify high-risk processes in the organization
    Explanation: The identification of high-risk areas within the audit scope is the first step in the audit procedure. Audit planning can be done in accordance with the findings regarding the risk-prone areas.
  2. Answer: D. The optimal use of audit resources for high-risk processes
    Explanation: The identification of high-risk areas within the audit scope is the first step in the audit procedure. Audit planning can be done in accordance with the findings regarding the risk-prone areas. Risk-based audit planning is designed to ensure that enough audit resources are spent on the risk-prone areas.
  3. Answer: B. The evaluation of threats and vulnerabilities applicable to the data center
    Explanation: Getting information and an understanding of the processes being audited and evaluating the risks and various threats will help auditors to concentrate on high-risk areas, thereby making the audit more effective and relevant.
  4. Answer: A. To identify high-risk processes
    Explanation: The identification of high-risk areas within the audit scope is the first step in the audit procedure. Audit planning can be done in accordance with the findings regarding the risk-prone areas. Risk-based audit planning is designed to ensure that enough audit resources are spent on the risk-prone areas.

Business process applications and controls

  1. Answer: C. The contract for the trading partner is not entered
    Explanation: Legal liability cannot be enforced in the absence of an agreement between trading partners. There may be uncertainty with respect to legal liability. This will be the area of most concern. A dedicated communication channel is considered a good control for EDI transactions.
  2. Answer: A. Ensuring the integrity and confidentiality of transactions
    Explanation: Encryption is a technical control through which plaintext is converted into encrypted (non-readable) text. Encryption processes are implemented to ensure the integrity and confidentiality of transactions.
  3. Answer: B. Building a segment count total into transaction set trailer
    Explanation: Building a segment count total ensures the completeness of inbound transactions in an EDI environment.
  1. Answer. B. Key verification
    Explanation: In key verification, the same field is filled in twice and a machine compares the entries for verification and validation. A reasonableness check ensures the logical reasoning of an input transaction. The control total is a system-based control that ensures that all relevant data is captured. A sequence check ensures the continuity of serial numbers. Completeness controls ensure the presence input for all required fields.
  2. Answer: D. Non-repudiation
    Explanation: Non-repudiation is a control that ensures that the sender cannot deny a transaction. It ensures that a transaction is enforceable.

Types of controls

  1. Answer: A. Preventive controls
    Explanation: Preventive controls are incorporated in such a way that prevents a threat event and thus avoids its potential impact. Detective controls are implemented to detect threat events once they have occurred. Detective controls aim to reduce the impact of an event. Corrective controls are designed to minimize the impact of a threat event once it has occurred and help in restoring a business to its routine operations. Compensating controls are alternate measures that are employed to ensure that weaknesses in a system are not exploited. In many cases, a strong control in one area can compensate for a weakness in another area.
  1. Answer: B. Detective controls
    Explanation: Preventive controls are incorporated in such a way that prevents a threat event and thus avoids its potential impact. Detective controls are implemented to detect threat events once they have occurred. Detective controls aim to reduce the impact of an event. Corrective controls are designed to minimize the impact of a threat event once it has occurred and help in restoring a business to its routine operations. Compensating controls are alternate measures that are employed to ensure that weaknesses in a system are not exploited. In many cases, a strong control in one area can compensate for a weakness in another area.
  2. Answer: A. Preventive controls
    Explanation: Segregation of duties is an attempt to prevent fraud or irregularities by segregating duties such that no single employee can commit fraud or other irregularities.
  1. Answer: A. Preventive controls
    Explanation: Well-designed documents are an attempt to prevent errors by implementing efficient and effective operational procedures in the organization.
  2. Answer: C. Corrective controls
    Explanation: Corrective controls are designed to minimize the impact of a threat event once it has occurred and help in restoring the routine operations of the business.
  3. Answer: A. Preventive controls
    Explanation: Employing only qualified personnel is an attempt to prevent errors or other irregularities.
  4. Answer: C. Corrective controls
    Explanation: The check subroutine corrects the error. It modifies the processing system and minimizes the likelihood of future occurrences of the problem.
  5. Answer: D. Deterrent controls
    Explanation: A deterrent control is anything intended to warn a potential attacker not to attack.
  6. Answer: B. Detective controls
    Explanation: Detective controls use controls that detect and report the prevalence of an error, omission, or malicious act.
  1. Answer: B. Detective controls
    Explanation: Detective controls detect and report the prevalence of an error, omission, or malicious act.
  1. Answer: C. Corrective controls
    Explanation: Corrective controls are designed to minimize the impact of a threat event once it has occurred and help in restoring to the routine operations of a business.
  2. Answer: C. Corrective controls
    Explanation: Corrective controls are designed to minimize the impact of a threat event once it has occurred and help in restoring to the routine operations of a business. They provide a remedy to problems discovered by detective controls.
  3. Answer: D. Compensating controls
    Explanation: Compensating controls are an alternate measure that is employed to ensure that weaknesses in a system are not exploited. In many cases, a strong control in one area can compensate for weaknesses in other areas.
  4. Answer: A. Preventive controls
    Explanation: Preventive controls detect problems before they arise. They prevent omissions, errors, or malicious acts from occurring.
  1. Answer: A. Preventive controls
    Explanation: Access control aims to prevent access by unauthorized persons. It prevents omissions, errors, or malicious acts from occurring.
  2. Answer. C. Control risk
    Explanation: Control risk is a term that signifies the possibility that a control will fail to prevent or detect unwanted actions.
  3. Answer. D. Detective controls are used to determine whether an error has occurred and corrective controls fix problems before losses occur.
    Explanation: Detective controls are designed to detect or indicate that an error has occurred. Examples of detective controls include audits, hash totals, echo controls, and so on. Corrective controls are designed to correct a risk or deficiency to prevent losses. Examples of corrective controls include business continuity planning, backup procedures, and more.
  4. Answer. A. Give the auditor an overview of control testing.
    Explanation: On the basis of control objectives, an auditor can plan control testing to evaluate the effectiveness and efficiency of implemented controls.

Risk-based audit planning

  1. Answer: C. Identifying vulnerabilities
    Explanation: The identification of vulnerabilities is an important aspect of conducting a risk assessment. If a vulnerability is appropriately recognized, controls and audit planning may not be effective.
  2. Answer: B. Identifying high-risk processes of the organization
    Explanation: The identification of high-risk processes is the first and most critical step in risk-based audit planning. Audit planning should be done in accordance with high-risk areas.
  3. Answer: B. Ensuring that critical vulnerabilities and threats have been recognized
    Explanation: The identification of vulnerabilities and threats is critical in developing a risk-based audit strategy. This will help in the determination of the processes to be considered in the scope of audit. The audit team can concentrate on high-risk areas.
  4. Answer: D. Identifying and analyzing current controls
    Explanation: Once the threats and vulnerabilities are identified, the auditor should evaluate existing controls to draw a conclusion about residual risk.
  1. Answer: D. Focusing on high-risk areas
    Explanation: The main advantage of a risk-focused audit is that the auditor can focus on areas of high risk. This will help to plan an audit in such a way that means the audit team can concentrate on the high-risk processes.
  2. Answer: A. The criticality of IT assets
    Explanation: Protecting an asset will involve costs. It is important to understand the criticality of assets when designing appropriate levels of protection.
  3. Answer: B. Detection
    Explanation: Detection risk refers to the risk that an internal audit fails to prevent or detect. Inherent risk refers to risk that exists before applying any controls. Control risk refers to risk that internal controls fail to prevent or detect. Business risks are not impacted by inadequate audit procedure.
  4. Answer: C. Detection risk.
    Explanation: Detection risk refers to risk that an internal audit fails to prevent or detect.
  5. Answer: A. The product of probability and impact
    Explanation: Risk is the product of impact and product. Option A considers both probability and impact. Option B considers only the probability of occurrence. Option C considers only the quantum of the impact. Option D is not applicable to the structured and scientific process of risk assessment.
  1. Answer: D. Reviewing the threats and vulnerabilities applicable to the data center
    Explanation: The identification of vulnerabilities and threats is the first step in a risk assessment process. Once the threats and vulnerabilities are identified, the auditor should evaluate existing controls and their effectiveness to draw a conclusion about the residual risk. Continuous risk monitoring is implemented during the risk monitoring function.
  2. Answer: Evaluating the threats and vulnerabilities applicable to the data center
    Explanation: Out of the given options, the first step in evaluating the security controls of a data center is evaluating the threats to and vulnerabilities of the data center. Options A and D are followed once the vulnerabilities and threats are identified. Option C is not considered as a part of a security analysis.
  3. Answer: C. Information assets are subject to suitable levels of protection
    Explanation: Data classification helps in determining the appropriate level of protection for information assets. Having a specific level of information security is important when protecting data and other IT assets.
  1. Answer: A. Analyzing the inherent risk assessment
    Explanation: The inherent risk assessment is the assessment of risk at a gross level without considering the impact of controls. The first step in a risk-focused audit is to obtain relevant details about the industry and organization to consider the inherent risk level.
  2. (14) Answer: A. Determining high-risk processes
    Explanation: In risk-based planning, it is very important to determine high-risk areas. This will help to determine the areas to be audited.
  3. Answer: A. Subject-oriented
    Explanation: To determine risk, you need to calculate probability and impact. Probability is based on estimates and estimates are always subjective. Risk assessment is based on perception.
  4. Answer: C. Implementing relevant controls
    Explanation: The risk management process includes the assessment of risk and, on the basis of the outcome, the designing of various controls. The objective of the risk assessment process is to address the recognized risks by implementing appropriate controls.
  5. Answer: B. Senior business management
    Explanation: Top business management have the final authority and also the responsibility for the smooth operation of the organization. They should not further delegate their responsibility for risk management. The other options should help authorities in determining the risk appetite of the organization.
  1. Answer: A. Finding threats/vulnerabilities associated with current IT assets
    Explanation: The biggest factor in evaluating IT risk is finding and evaluating threats and vulnerabilities associated with IT assets. The other options, though very important factors for the risk assessment process, are not more important than option A.
  2. Answer: C. Identifying threats and their likelihood of occurrence
    Explanation: Once the critical assets are identified, the next step is to determine vulnerabilities and then to look at threats and their probability of occurrence.
  3. Answer: D. Vulnerability
    Explanation: A lack of security measures indicates a weakness or vulnerability. A vulnerability can be in the form of a lack of up-to-date anti-virus, weak software coding, poor access control, and more. It must be noted that vulnerabilities can be controlled by the organization.
  1. Answer: C. The identification of assets
    Explanation: The identification of critical assets is the first step in the development of a risk assessment process.
  2. Answer: B. Are created on the basis of risk analysis
    Explanation: In the bottom-up approach, risks related to processes are identified and considered. The approach starts by considering the process-level requirements and operational-level risk. The other options are the benefits of the top-down approach. In the top-down approach, policies are consistent across the organization and there is no conflict with overall corporate policy.
  3. Answer: A. Implementing controls
    Explanation: Risks are managed and reduced by incorporating proper security and relevant controls. Through insurance, risk is transferred. Auditing and certification help in providing assurance, while SLAs help in risk allocation.
  4. Answer: A. Addresses the risk
    Explanation: The most important factor for implementing controls is to ensure that the controls address the risk.
  5. Answer: A. Inherent risk
    Explanation: Gross risk or risk before controls is known as inherent risk.
  6. Answer: B. Control risk
    Explanation: Control risk refers to risk that internal controls fail to prevent or detect. Control risk refers to risk the internal control system of the organization will not able to detect, correct, or prevent.
  7. Answer: C. All relevant risks must be documented and analyzed.
    Explanation: It is most important that identified risks are properly documented. After proper documentation, other factors should be considered.
  1. Answer. C. Perform a risk assessment first and then concentrate control tests on high-risk areas
    Explanation: On the basis of risk assessment, the audit team should devote more testing resources to high-risk areas.
  2. Answer. A. The adoption of mature technology by the organization
    Explanation: Technology adoption may not have a huge impact while planning an audit as compared to other options. All the options are important, but the technology's maturity alone has the least influence on an organization's risk assessment.

Types of audit and assessment

  1. Answer. C. IS audit
    Explanation: An IS audit is designed to evaluate an information system and any related resources to determine the adequacy of the internal controls that provide the availability, integrity, and confidentiality of the IT assets of the system.
  2. Answer. B. Compliance audit
    Explanation: A compliance audit includes specific tests of controls to determine adherence to specific regulatory or legal requirements.
  3. Answer. C. Integrated audit
    Explanation: There are different types of integrated audits that may combine financial and operational audit steps to assess the overall objectives of an organization and safeguard the efficiency and compliance of assets.
  4. Answer. A. Functional audit
    Explanation: A functional audit provides an independent evaluation of software products. The audit comes either prior to software delivery or after implementation.
  5. Answer. D. Computer forensic audit
    Explanation: This is an investigation that includes the analysis of electronic devices. An IS auditor can support an IS manager or forensic specialist when conducting forensic analysis and auditing to ensure adherence to policy and procedure.
  6. Answer: D. Operational audit
    Explanation: An operational audit is designed to perform an operational audit and other aspects related to the effectiveness, efficiency, and productivity of an enterprise.
Left arrow icon Right arrow icon

Description

Are you looking to prepare for the CISA exam and understand the roles and responsibilities of an information systems (IS) auditor? The CISA - Certified Information Systems Auditor Study Guide is here to help you get started with CISA exam prep. This book covers all the five CISA domains in detail to help you pass the exam. You’ll start by getting up and running with the practical aspects of an information systems audit. The book then shows you how to govern and manage IT, before getting you up to speed with acquiring information systems. As you progress, you’ll gain knowledge of information systems operations and understand how to maintain business resilience, which will help you tackle various real-world business problems. Finally, you’ll be able to assist your organization in effectively protecting and controlling information systems with IT audit standards. By the end of this CISA book, you'll not only have covered the essential concepts and techniques you need to know to pass the CISA certification exam but also have the ability to apply them in the real world.

Who is this book for?

This CISA exam study guide is designed for those with a non-technical background who are interested in achieving CISA certification and are currently employed or looking to gain employment in IT audit and security management positions.

What you will learn

  • Understand the information systems auditing process
  • Get to grips with IT governance and management
  • Gain knowledge of information systems acquisition
  • Assist your organization in protecting and controlling information systems with IT audit standards
  • Understand information systems operations and how to ensure business resilience
  • Evaluate your organization's security policies, standards, and procedures to meet its objectives
Estimated delivery fee Deliver to Lithuania

Premium delivery 7 - 10 business days

€25.95
(Includes tracking information)

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Aug 21, 2020
Length: 590 pages
Edition : 1st
Language : English
ISBN-13 : 9781838989583
Languages :
Tools :

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
Estimated delivery fee Deliver to Lithuania

Premium delivery 7 - 10 business days

€25.95
(Includes tracking information)

Product Details

Publication date : Aug 21, 2020
Length: 590 pages
Edition : 1st
Language : English
ISBN-13 : 9781838989583
Languages :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 121.97
CompTIA Security+: SY0-601 Certification Guide
€23.99
CISA – Certified Information Systems Auditor Study Guide
€59.99
CompTIA CASP+ CAS-004 Certification Guide
€37.99
Total 121.97 Stars icon

Table of Contents

18 Chapters
Section 1: Information System Auditing Process Chevron down icon Chevron up icon
Audit Planning Chevron down icon Chevron up icon
Audit Execution Chevron down icon Chevron up icon
Section 2: Governance and Management of IT Chevron down icon Chevron up icon
IT Governance Chevron down icon Chevron up icon
IT Management Chevron down icon Chevron up icon
Section 3: Information Systems Acquisition, Development, and Implementation Chevron down icon Chevron up icon
Information Systems Acquisition and Development Chevron down icon Chevron up icon
Information Systems Implementation Chevron down icon Chevron up icon
Section 4: Information System Operations and Business Resilience Chevron down icon Chevron up icon
Information System Operations Chevron down icon Chevron up icon
Business Resilience Chevron down icon Chevron up icon
Section 5: Protection of Information Assets Chevron down icon Chevron up icon
Information Asset Security and Control Chevron down icon Chevron up icon
Network Security and Control Chevron down icon Chevron up icon
Public Key Cryptography and Other Emerging Technologies Chevron down icon Chevron up icon
Security Event Management Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.5
(61 Ratings)
5 star 77%
4 star 8.2%
3 star 6.6%
2 star 4.9%
1 star 3.3%
Filter icon Filter
Top Reviews

Filter reviews by




Rohith Jul 26, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I am CA Sankeerth from Qatar. I have used Hemang doshi textbook and udemy lectures for preparing my CISA. Really excellent explanation and got so much clarity in the concepts. Textbook is very much simplified. Recommended book and lectures for cisa preparation. I have passed my cisa exam successfully and very much thankful to Hemang doshi sir.
Amazon Verified review Amazon
Rozy May 02, 2021
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book along with Hermang Doshi’s Udemy course really helped me understand the concepts to pass the CISA. I also read the official review manual and did the official Questions and Answers database 2.5 times. I passed with this study plan.
Amazon Verified review Amazon
Sujit Dec 19, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book will give you complete clarity on CISA concepts. This helped me in passing CISA and I’m sure it can help all CISA aspirants in their journeys.All the best
Amazon Verified review Amazon
Varun Das Mar 01, 2021
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Best self help book for exam preparation, specially for non technical background. I referred only this book & CISA Q&A database for preparation. Key points for exam & questions are very helpful during last minute revision.
Amazon Verified review Amazon
kartik Apr 11, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Best book with clear concepts and in simple language .. those who says CISA is difficult to clear. Read this book and CISA is simple . I cleared with 634 marks .. thanks Hemang Doshi
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you live in Turkey, and the declared value of your ordered items is over € 22, for you to receive a package, you will have to pay additional import tax of 18% which will be € 3.96 to the courier service.
How can I cancel my order? Chevron down icon Chevron up icon

Cancellation Policy for Published Printed Books:

You can cancel any order within 1 hour of placing the order. Simply contact customercare@packt.com with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at customercare@packt.com using the returns and refund process.

Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.

What is your returns and refunds policy? Chevron down icon Chevron up icon

Return Policy:

We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on customercare@packt.com with the order number and issue details as explained below:

  1. If you ordered (eBook, Video or Print Book) incorrectly or accidentally, please contact Customer Relations Team on customercare@packt.com within one hour of placing the order and we will replace/refund you the item cost.
  2. Sadly, if your eBook or Video file is faulty or a fault occurs during the eBook or Video being made available to you, i.e. during download then you should contact Customer Relations Team within 14 days of purchase on customercare@packt.com who will be able to resolve this issue for you.
  3. You will have a choice of replacement or refund of the problem items.(damaged, defective or incorrect)
  4. Once Customer Care Team confirms that you will be refunded, you should receive the refund within 10 to 12 working days.
  5. If you are only requesting a refund of one book from a multiple order, then we will refund you the appropriate single item.
  6. Where the items were shipped under a free shipping offer, there will be no shipping costs to refund.

On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on customercare@packt.com within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.

What tax is charged? Chevron down icon Chevron up icon

Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.

What payment methods can I use? Chevron down icon Chevron up icon

You can pay with the following card types:

  1. Visa Debit
  2. Visa Credit
  3. MasterCard
  4. PayPal
What is the delivery time and cost of print books? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela