An audit includes various activities, such as audit planning, resource allocation, determining the audit scope and audit criteria, reviewing and evaluating audit evidence, forming audit conclusions, and reporting to management. All these activities are integral parts of an audit, and project management techniques are equally applicable to audit projects.

Audit Objectives

Audit objectives are the expected outcomes of the audit activities. They refer to the intended goals that the audit must accomplish. Determining the audit objectives is a very important step in planning an audit. Generally, audits are conducted to achieve the following objectives:

• To confirm that internal control exists
• To evaluate the effectiveness of internal controls
• To confirm compliance with statutory and regulatory requirements

An audit also provides reasonable assurance about the coverage of material items.

Audit Phases

The audit management project process has three phases. The first phase is planning, the second phase is execution, and the third phase is reporting. An IS auditor should be aware of the steps involved in the phases of an audit management process, as shown in the following table:

Table 2.1: Phases of an audit process

It should be noted that the steps should be followed in chronological sequence for the success of the audit project and to achieve the audit objectives.

Key Aspects for the CISA Exam

The following table covers the important aspects from the CISA exam perspective:

Table 2.2: Key aspects for the CISA exam

Audit sampling is an important element of audit project management and selecting an appropriate sampling methodology is critical for gathering the relevant data and drawing accurate conclusions. The next section discusses sampling methodologies.

Sampling is the process of selecting data from a population. By analyzing samples, characteristics of the entire population can be identified. Sampling is performed when it is not feasible to study the entire population due to time and cost constraints. Therefore, samples are a subset of the population.

Sampling is an integral part of audit execution as it allows auditors to efficiently evaluate the overall effectiveness of processes without the need to review every single item.

Sampling Types

This is a very important topic from a CISA exam perspective. Two or three questions can be expected on this topic. A CISA candidate should have an understanding of the sampling techniques discussed in the next subsections.

Statistical Sampling

This is an objective sampling technique. This is also known as non-judgmental sampling. It uses the laws of probability, where each unit has an equal chance of selection. In statistical sampling, the probability of error can be objectively quantified, and hence the detection risk can be reduced.

For example, suppose the total population is 100 and the auditor wants to select 10% as a sample. In statistical sampling, the auditor will use random sampling to select 10 accounts. This ensures that every account has an equal chance of being selected, minimizing selection bias.

Non-Statistical Sampling

This is a subjective sampling technique. It’s also known as judgmental sampling. The auditor uses their experience and judgment to select the samples that are material and represent a higher risk.

Attribute Sampling

Attribute sampling is the simplest kind of sampling based on certain attributes; it measures basic compliance. It answers the question, How many?. It is expressed as a percentage—for example, 90% complied. Attribute sampling is usually used in compliance testing.

Variable Sampling

Variable sampling offers more information than attribute sampling. It answers the question, How much?. It is expressed in monetary value, weight, height, or some other measurement—for example, an average profit of $25,000. Variable sampling is usually used in substantive testing.

Stop-or-Go Sampling

Stop-or-go sampling is used where controls are strong and very few errors are expected. It helps to prevent excess sampling by allowing the audit test to end at the earliest possible moment. Stop-or-go sampling is generally applied where controls are automated such as auto patch updates.

Discovery Sampling

Discovery sampling is used when the objective is to detect fraud or other irregularities. If a single error is found, the entire sample is believed to be fraudulent/irregular.

The following table summarizes the use cases for each sampling type:

Table 2.3: Different types of sampling

Note

Remember the term AC-VS—attribute sampling for compliance testing and variable sampling for substantive testing.

Sampling Risk

Sampling risk refers to the risk that a sample is not a true representation of the population. This implies that the conclusion drawn by analyzing the sample may be different from the conclusion that would have been drawn by analyzing the entire population.

Other Sampling Terms

A CISA candidate should be aware of the following terms related to sampling.

The Confidence Coefficient

A confidence coefficient, or confidence level, is a measure of the accuracy of and confidence in the quality of a sample. The sample size and confidence coefficient are directly related. A high sample size will give a high confidence coefficient.

Look at the following example:

Table 2.4: Example of confidence coefficient

In the case of poor internal controls, the auditor may want to verify 95 samples (sample size) out of a total population of 100. This gives a 95% confidence coefficient.

In the case of strong internal controls, the auditor may be satisfied with only 25 samples out of the total population of 100. This gives a 25% confidence coefficient.

Level of Risk

The level of risk can be derived by deducting the confidence coefficient from 100. For example, if the confidence coefficient is 95%, then the level of risk is 5% (100% – 95%).

Expected Error Rate

This indicates the expected percentage of errors in procession that may exist. When the expected error rate is high, the auditor should select a higher sample size.

Tolerable Error Rate

This indicates the maximum error rate that can exist without the audit result being materially misstated.

Sample Mean

The sample mean is the average of all collected samples. It is derived by adding all the samples and dividing the sum by the number of samples.

Sample Standard Deviation

This indicates the variance of the sample value from the sample mean.

Compliance versus Substantive Testing

A CISA candidate should be able to differentiate between compliance testing and substantive testing. They should be able to determine which type of testing is to be performed under different scenarios.

The Differences between Compliance Testing and Substantive Testing

The following table differentiates between compliance and substantive testing:

Table 2.5: Differences between compliance testing and substantive testing

Essentially, verifying whether a control is present or not is compliance testing. Meanwhile, verification of the complete process by testing the data/transaction to “substantiate” that the process is working is substantive testing.

Examples of Compliance Testing and Substantive Testing

The following examples will further help you understand the different use cases of compliance testing and substantive testing:

Table 2.6: Differences between the use cases of compliance testing and substantive testing

The Relationship between Compliance Testing and Substantive Testing

A CISA candidate should understand the following points about the relationship between compliance testing and substantive testing:

• Ideally, compliance testing should be performed first and should be followed by substantive testing.
• The outcome of compliance testing is used to plan for a substantive test. For instance, if the outcome of compliance testing indicates the existence of effective internal controls, then substantive testing may not be required or limited testing may be carried out. However, if the outcome of compliance testing indicates a poor internal control system, more rigorous substantive testing is required. Thus, the design of substantive tests is often dependent on the result of compliance testing.
• The attribute sampling technique is useful for compliance testing as it indicates that a control is either present or absent, whereas variable sampling will be useful for substantive testing.

Key Aspects for the CISA Exam

The following table covers important aspects from the CISA exam perspective:

Table 2.7: Key aspects for the CISA exam

Apart from the appropriate sampling technique, another important aspect of the audit process is using appropriate evidence-gathering techniques. Audit evidence should be collected properly to establish its reliability. Details on the reliability of audit evidence and collection techniques are covered in the next section.

Auditing is a process of providing an opinion (in the form of a written audit report) about the functions or processes under the scope of an audit. This audit opinion is based on the evidence obtained during the audit. Audit evidence is critical in the audit as audit opinions are based on reliability, competence, and objectivity. The objective and scope of an audit are the most significant factors when determining the data requirements.

Reliability of Evidence

An IS auditor should consider the sufficiency, competency, and reliability of the audit evidence. Evidence can be considered competent when it is valid and relevant. The following factors determine the reliability of audit evidence.

Independence of the Evidence Provider

The source of the evidence determines the reliability of the evidence. External evidence (obtained from a source outside the organization) is more reliable than evidence obtained from within the organization. A signed agreement with external parties is considered more reliable than an oral agreement.

Qualifications of the Evidence Provider

The qualifications and experience of the evidence provider are major factors when determining the reliability of audit evidence. Information gathered from someone without the relevant qualifications or experience may not be reliable.

Objectivity of the Evidence

Evidence based on judgment (involving subjectivity) is less reliable than objective evidence. Objective audit evidence does not have the scope for different interpretations.

Timing of the Evidence

Audit evidence that is dynamic in nature (such as logs, files, and documents that are updated frequently) should be considered based on the relevant timing.

Figure 2.1 highlights the evidence-related guidelines:

Figure 2.1: Evidence-related guidelines

The guidelines discussed for the reliability of evidence are very important from a CISA exam perspective. An IS auditor should also be aware of the best practices and techniques to gather evidence. These are discussed in the next section.

Evidence-Gathering Techniques

The following techniques are used by IS auditors to gather evidence during the audit process:

Table 2.8: Evidence-gathering factors and their descriptions

The evaluation of evidence is a subjective matter, and the auditor needs the relevant skills, experience, and qualifications to judge the relevance, sufficiency, and appropriateness of the audit evidence. In the case of inconclusive evidence, it is recommended to perform an additional test to confirm the accuracy of the audit findings.

Evidence should be evaluated based on the business environment and the complexity of the business processes. The following are some general guidelines for evidence evaluation:

• In the case of unavailability of evidence, the auditor should report the relevant risk in the audit report.
• Evidence obtained from a relevant third party is considered more reliable compared to internal evidence. An audit report by a qualified auditor is considered more reliable than a confirmation letter received from a third party.
• Evidence collected by the audit team directly from the source is considered more reliable compared to evidence provided by business units.
• Computer-assisted audit techniques (CAATs) are the most effective auditing tools for computerized environments. The use of a CAAT ensures the reliability of audit evidence as data is directly collected, processed, and analyzed by the IS auditor.

Fraud, Irregularities, and Illegal Acts

While evaluating the evidence, it must be noted that the implementation of internal controls does not necessarily eliminate fraud. An IS auditor should be aware of the possibilities, circumstances, and opportunities that can lead to fraud and other irregularities. The IS auditor should observe and exercise due professional care to ensure that internal controls are appropriate, effective, and efficient to prevent or detect fraud, irregularities, and illegal acts.

In the case of suspicious activity, the IS auditor may communicate the need for a detailed investigation. In the case of a major fraud being identified, audit management should consider reporting it to the audit committee board.

Key Aspects for the CISA Exam

The following table covers important aspects from the CISA exam perspective:

Table 2.9: Key aspects for the CISA exam

Gathering reliable audit evidence is important for forming an auditor’s opinion. Traditional methods can be slow and might miss important details, which can impact audit results. Data analytics (DA) changes this by allowing auditors to quickly analyze large amounts of data, improving accuracy and uncovering insights. It helps auditors find risks and unusual patterns more effectively. In the next section, we’ll explore how data analytics enhances modern auditing and makes it more efficient.

DA is the method of examining data or information. It helps you to understand the data by transforming raw data into usable and meaningful information. DA plays an important role in modern audit execution, as it enhances the auditor’s ability to assess risks, identify anomalies, and provide more insightful findings.

The following are some example use cases of DA:

• To determine whether a user is authorized by combining logical access files with the human resources employee database
• To determine whether events are authorized by combining the file library settings with change management system data and the date of file changes
• To identify tailgating by combining input records with output records
• To review system configuration settings
• To review logs for unauthorized access

CAATs take the data analysis process a step further by simplifying the examination of complex data. CAATs are discussed in detail in the next section.

CAATs

CAATs are extremely useful to IS auditors for gathering and analyzing large and complex data during an IS audit. CAATs help an IS auditor collect evidence from different hardware, software environments, and data formats.

The following table presents a breakdown of the functions of CAAT tools:

Table 2.10: Breakdown of CAAT functions

A CAAT helps an IS auditor collect information independently. Information obtained through CAATs is considered more reliable than the manual process.

The following are some example use cases for CAAT tools:

• To determine the accuracy of transactions and balances
• For a detailed analysis of any given process
• To ascertain compliance with IS general controls
• To ascertain compliance with IS application controls
• To assess network and operating system controls
• For vulnerability scanning and penetration testing
• For the security scanning of source code and AppSec testing

Precautions While Using CAAT

An auditor should be aware of the following precautions when using CAAT tools:

• Ensure the integrity of imported data by safeguarding its authenticity, integrity, and confidentiality.
• Obtain approval for installing the CAAT software on the auditee servers.
• Obtain only read-only access when using CAATs on production data. This will ensure that no one can edit the data.
• Edits/modifications should be applied to duplicate data and the integrity of the original data should be ensured.

Continuous Auditing and Monitoring

Continuous auditing and monitoring processes are used to regularly review and assess an organization’s IT activities as well as data to detect anomalies, trends, and potential issues as they occur and to ensure compliance and improve overall performance.

A CISA candidate should understand the difference between continuous auditing and continuous monitoring:

Table 2.11: Differences between continuous auditing and continuous monitoring

Continuous auditing and continuous monitoring are mutually exclusive. Continuous assurance can be ensured if both continuous monitoring and continuous auditing are in place. Generally, the results of continuous auditing are the precursor to the introduction of a continuous monitoring process.

The following subsections discuss five widely used continuous audit tools.

Integrated Test Facility

An integrated test facility (ITF) is a technique used in auditing to test a system’s processes and controls by inserting test data into a live production system without affecting the actual data. This helps auditors evaluate how well the system handles transactions and identify any potential issues.

In an ITF, a fictitious transaction is created in the production environment.

The auditor may enter test or dummy transactions and check the processing and results of these transactions for correctness. Then, the auditor evaluates the processed results and expected results to verify the proper functioning of the systems. If the processed results match the expected results, then the auditor determines that the processing is correct. Once the verification is complete, test data is deleted from the system.

System Control Audit Review File

A system control audit review file (SCARF) is a technique in which an audit module is embedded into (built in) the organization’s host application to track transactions on an ongoing basis. A SCARF is used to obtain data or information for audit purposes. SCARFs record transactions above a specified limit or deviation-/exception-related transactions. These transactions are then reviewed by the auditor. For example, a company may decide to capture a payout greater than $10,000 in a separate file and then such transactions can be reviewed by the auditor to verify whether the limit has been adhered to.

SCARFs are useful when regular processing cannot be interrupted, such as in an online banking system.

Snapshot Technique

The snapshot technique captures snapshots or pictures of a transaction as it is processed at different stages in the system. Details are captured both before and after the execution of the transaction. The correctness of a transaction is verified by validating its pre-processing and post-processing snapshots. Snapshots are useful when an audit trail is required.

The IS auditor should consider the following significant factors when working with the snapshot technique:

• The location at which snapshots are captured
• The time at which snapshots are captured
• The manner in which the snapshot data is reported

Audit Hook

An audit hook is a tool used in auditing to help detect and report unusual or suspicious activities in a system in real time. It acts like a trigger that alerts auditors or security personnel when certain predefined conditions are met, allowing for quick investigation and response.

Audit hooks are embedded in an application system to capture exceptions. The auditor can set different criteria to capture exceptions or suspicious transactions. For example, to closely monitor cash transactions, an auditor can set criteria to capture cash transactions exceeding $10,000. All these transactions can then be reviewed by the auditor to identify fraud, if any.

Audit hooks are helpful in the early identification of irregularities, such as fraud or errors. They are generally applied when only selected transactions need to be evaluated.

Continuous and Intermittent Simulation

Continuous and intermittent simulation (CIS) replicates or simulates the processing of the application system. In this technique, a simulator identifies transactions as per the predefined parameters. Identified transactions are then audited for further verification and review. CIS compares its own results with the results produced by application systems. If any discrepancies are noted, they are written to the exception log file. CIS is useful for identifying the transactions as per predefined criteria in a complex environment.

The following table summarizes the features of continuous audit tools:

Table 2.12: Types of continuous audit tools and their features

Key Aspects for the CISA Exam

The following table covers important aspects from the CISA exam perspective:

Table 2.13: Key aspects for the CISA exam

An IS auditor should be aware of the methods and procedures through which analysis and findings are reported to the audit committee and senior management. Effectively reporting audit findings and communicating the findings to all the stakeholders are very important parts of audit execution; these are covered in more detail in the next section.

Audit reporting and following up for closure are the last steps of the audit process. The effectiveness of an audit largely depends on how the audit results are communicated and how follow-up is done for the closure of recommendations. Effective verbal and written communication skills are key attributes of a good auditor. A CISA candidate is expected to have a thorough understanding of the elements of an exit interview, audit report objectives, the process and structure, and follow-up activities. These are discussed in the following subsections.

Exit Interview

Auditing is not about finding errors. It is about adding value to the existing processes of an organization. A formal exit interview is essential before the audit report is released as it ensures that facts are not misunderstood or misinterpreted. The following are the objectives of an exit interview:

• To ensure that the facts are appropriately and correctly presented in the audit report
• To discuss recommendations with auditee management
• To discuss an implementation date

Exit meetings help align the audit team and auditee management on the findings that are presented, discussed, and agreed upon.

Audit Reporting

An audit report is a formal document that presents the findings, conclusions, and recommendations resulting from an audit. A CISA candidate should note the following best practices with respect to audit reporting:

• The IS auditor is ultimately responsible for reporting to senior management and the final audit report should be sent to the audit committee of the board (ACB). If the IS auditor has no access to the top officials and the ACB, it will impact the auditor’s independence.
• Before the report is placed with the ACB, the IS auditor should meet with auditee management to determine the accuracy of the audit observations and to understand the correction plan.
• Sometimes, auditee management may not agree with the audit findings and recommendations. In such cases, IS auditors should emphasize the significance of the audit findings and the risk of not taking any corrective action.
• If there is any control weakness that is not within the scope of the audit, it should be reported to management during the audit process. This should not be overlooked. Generally, accepted audit procedures require audit results to be reported even if the auditee takes corrective action prior to reporting.
• To support the audit results, the IS auditor should have clear and accurate audit facts.

Audit Report Objectives

An audit report’s primary goal is to communicate the findings of an audit clearly and effectively. The following are the six objectives of audit reporting:

• The presentation of audit findings/results to all the stakeholders (that is, the auditees).
• Providing a formal closure for the audit committee.
• Providing assurance to the organization. The audit report identifies the areas that require corrective action and associated suggestions.
• Providing a reference for any party researching the auditee or audit topic.
• Helping in follow-ups of audit findings presented in the audit reports for closure.
• Promoting audit credibility. This depends on the report being well developed and well written.

Audit Report Structure

An audit report is generally submitted to senior management, and hence, proper structuring of the report is very important. An audit report includes the following content:

• An introduction to the report, which includes the scope of the audit, the limitations of the audit, a statement of the audit objective, the audit period, and so on
• Audit findings and recommendations
• Opinions about the adequacy, effectiveness, and efficiency of the control environment

The next section will take you through a rundown of the main objectives of follow-up activities.

Follow-Up Activities

The main objective of follow-up activities is to validate whether management has implemented the audit recommendations. An IS auditor needs to determine whether management has acted on corrective actions to close the audit findings. It is essential to have a structured process to determine that corrective actions have been implemented. Having a structured process for implementing corrective actions ensures accountability and timely follow-up, helping to address issues effectively and prevent them from recurring.

Follow-up activities should be taken up on the basis of the timeline agreed on by auditee management for the closure of audit findings. The status of compliance should be placed at the appropriate level of management.

Although audit follow-ups are primarily applicable to internal audit functions, external audit firms may be required to do the follow-up if it is included in the letter of engagement.

Key Aspects for the CISA Exam

The following table covers important aspects from the CISA exam perspective:

Table 2.14: Key aspects for the CISA exam

While reporting and monitoring methods are crucial for tracking performance and detecting potential risks, control self-assessment enables organizations to proactively assess their internal controls; this is discussed in detail next.

Control self-assessment (CSA), as the name suggests, is the self-assessment of controls by process owners. For CSA, the employee reviews the business process and evaluates the various risks and controls. CSA is a process whereby the process owner gains a realistic view of their own performance.

CSA ensures the involvement of the user group in a periodic and proactive review of risk and control.

The following are the objectives of implementing a CSA program:

• Make functional staff responsible for control monitoring
• Enhance audit responsibilities (not to replace the audit’s responsibilities)
• Concentrate on critical processes and areas of high risk

The following are some benefits of implementing a CSA program:

• It allows risk detection at an early stage of the process and reduces control costs.
• It helps in ensuring effective and stronger internal controls, which improves the audit rating process.
• It helps the process owner take responsibility for control monitoring.
• It helps in increasing employee awareness of organizational goals. It also helps the process owners understand the risk and internal controls.
• It provides assurance to top management about the adequacy, effectiveness, and efficiency of the control requirements.

Precautions While Implementing CSA

Due care should be taken when implementing CSA. It should not be considered a replacement for the audit function. An audit is an independent function and should not be waived, even if CSA is being implemented. CSA and an audit are different functions, and one cannot replace the other.

An IS Auditor’s Role in CSA

The IS auditor’s role is to act as a facilitator for the implementation of CSA. It is the IS auditor’s responsibility to guide the process owners in assessing the risk and control of their own environment. The IS auditor should also provide insight into the objectives of CSA.

Remember

An audit is an independent function and should not be waived, even if CSA is being implemented. Both CSA and an audit are different functions and one cannot replace the other.

Key Aspects for the CISA Exam

The following table covers important aspects from the CISA exam perspective:

Table 2.15: Key aspects for the CISA exam

You learned how CSA is a proactive assessment that aids auditing. Another important technique that further builds on the proactive method is Agile auditing. The following section discusses Agile auditing in detail.

In the rapidly changing business world, traditional audit processes can sometimes be too rigid and slow to keep up with the pace of organizational change. This is where Agile auditing comes in. Inspired by Agile methodologies used in software development, Agile auditing offers a flexible and responsive approach to auditing, ensuring that audit activities remain relevant and effective in a dynamic environment.

Dictionary Meaning of Agile

According to the dictionary, agile means being able to move quickly and easily. It also implies the ability to think and understand quickly. In the context of business and auditing, being agile means being flexible, responsive, and able to adapt to changes swiftly.

Understanding Agile Auditing

Agile auditing is a modern approach to auditing that emphasizes flexibility, collaboration, and rapid delivery of audit insights. Unlike traditional audits that follow a linear and often lengthy process, Agile auditing breaks down the audit into smaller, manageable parts or sprints. Each sprint focuses on a specific area or risk and is completed within a short timeframe, typically a few weeks. This allows auditors to quickly identify issues, provide feedback, and adjust the audit plan as needed based on the latest information and organizational changes.

Agile auditing involves frequent communication and collaboration between the audit team and the stakeholders. This continuous interaction ensures that the audit remains aligned with the organization’s current priorities and risks. The iterative nature of Agile auditing allows for continuous improvement and learning, leading to more relevant and timely audit results.

Benefits of Agile Auditing

Agile auditing offers several benefits that make it a preferred approach for modern organizations. The following are some of the benefits:

• Faster identification of risks: Agile auditing enables quick detection and response to potential issues, helping to mitigate risks before they become significant problems
• Enhanced collaboration: It promotes continuous interaction between auditors and stakeholders, leading to better understanding and more relevant audit findings
• Improved efficiency: It focuses on short, targeted sprints, increasing the productivity and effectiveness of the audit team
• Continuous improvement: The iterative process allows for ongoing refinement and enhancement of the audit approach, leading to higher-quality audits
• Adaptability: Agile auditing is flexible and can quickly adjust to changes in the business environment and emerging risks

Traditional Auditing vis-à-vis Agile Auditing

Traditional auditing typically follows a structured, linear process that can be quite lengthy and inflexible. It involves predefined steps that are carried out in a sequential order, often taking several months to complete. While this approach provides thorough and detailed audits, it can sometimes be too slow to respond to the fast-paced changes in today’s business environment.

In contrast, Agile auditing is more flexible and dynamic. It involves shorter cycles of planning, execution, and review, allowing auditors to adapt quickly to changes and emerging risks. This makes Agile auditing particularly effective in environments where conditions are constantly evolving, such as changes in regulations, and there is a need for rapid response and continuous improvement.

While traditional auditing provides depth and comprehensiveness, Agile auditing offers speed and adaptability. Organizations can benefit from combining elements of both approaches to create a balanced and effective audit process that meets their specific needs.

By developing a thorough understanding of Agile auditing and implementing it, organizations can enhance their audit processes, making them more responsive, efficient, and aligned with the rapidly changing business landscape. This approach not only helps in identifying and mitigating risks more effectively but also adds significant value to the overall governance and risk management framework.

Key Aspects for the CISA Exam

The following table covers the important aspects from the CISA exam perspective:

Table 2.16: Key aspects for the CISA exam

Having explored the benefits and flexibility of Agile auditing, the focus now shifts to ensuring the quality and consistency of the audit process through robust quality assurance (QA) measures. In the next section, we will discuss the QA of the audit process.

QA is a process that ensures that audits follow established standards and best practices, giving stakeholders confidence in the audit results. It is crucial for making sure that audits are reliable and effective. The QA process includes supervision by the audit committee, continuous education for IS auditors, and performance monitoring of the IS audit function. These controls are discussed next.

Oversight by Audit Committee

The audit committee, usually made up of members of the board of directors, plays a vital role in ensuring the quality of the audit process by overseeing the audit function to make sure audits are done fairly and thoroughly. The audit committee approves the audit plan, reviews audit reports, and ensures that any issues found are addressed properly. Their oversight helps maintain the independence and objectivity of the audits, which is essential for high-quality results.

Continuous Education and Updating of IS Auditors

In the fast-changing field of IS, it is essential for IS auditors to keep their knowledge and skills up to date. This involves staying informed about the latest technology developments, regulatory changes, and new risks. IS auditors should participate in training programs, earn certifications, and attend industry conferences to maintain their expertise. Continuous education helps auditors effectively identify and assess risks, use advanced audit techniques, and provide valuable insights to their organization.

Performance Monitoring of IS Audit Functions

Monitoring the performance of the IS audit function is a key part of QA as it ensures that audits are effective and meet their objectives. It also provides a feedback loop for continuous improvement, allowing the audit function to adapt and remain relevant in a changing environment. Here are some examples of key performance indicators (KPIs) that can be used to monitor and evaluate the performance of the IS audit function:

• Audit coverage rate: This is the percentage of planned audits that were completed within a given period. It is calculated as follows: Number of completed audits / Number of planned audits × 100.
• Audit finding closure rate: This is the percentage of identified audit findings that have been addressed and closed within the specified timeframe. It is calculated as follows: Number of closed audit findings / Number of total audit findings × 100.
• Timeliness of audit reports: This is the average time taken to issue audit reports after the completion of an audit. It is calculated as the average number of days from audit completion to report issuance.
• Audit recommendation implementation rate: This is the percentage of audit recommendations that have been implemented by management. It is calculated as follows, using an example KPI: Number of implemented recommendations / Number of total recommendations × 100.
• Resource utilization: This is the extent to which audit resources (e.g., personnel or budget) are utilized effectively. It is calculated as follows, using an example KPI: Actual hours spent on audits / Budgeted hours for audits × 100.
• Stakeholder satisfaction: This is the level of satisfaction among stakeholders (e.g., audit committee and management) with the audit process and outcomes. An example KPI would be the average satisfaction rating from stakeholder surveys.
• Compliance rate: This is the percentage of audits that comply with established internal audit standards and procedures. It is calculated as follows: Number of compliant audits / Number of total audits × 100.
• Risk coverage: This is the extent to which critical risks are identified and addressed through the audit process. It is calculated as follows: Number of critical risks audited / Number of critical risks identified × 100.
• Training and development: This is the investment in and effectiveness of training and development programs for audit staff. It is calculated as the average training hours per auditor per year.
• Audit cost efficiency: This is the cost-effectiveness of the audit function in relation to the value it provides. It is calculated as follows: Total audit cost / Number of audits conducted.

By regularly tracking these KPIs, the IS audit function can ensure continuous improvement, demonstrate its value to the organization, and align its activities with the business objectives.

Continuous Improvement

In addition to the preceding points, the IS audit function should also focus on continuous improvement and adaptation. This involves staying updated with the latest trends and threats in the IT landscape, regularly updating audit methodologies, and incorporating feedback from previous audits. It also includes fostering a culture of collaboration between the IS audit team and other departments to ensure a holistic approach to risk management and compliance.

Accreditation/Certification of the IS Audit Function

Accreditation or certification of the IS audit function provides formal recognition that the audit process meets established standards. This can enhance the credibility and reliability of the audit function. For example, ISO 9001 QMS helps in standardizing the processes within the IS audit function. This standardization ensures that all audits are conducted in a consistent manner, following predefined procedures and guidelines. By having a clear set of standards and procedures, IS auditors can perform their tasks more effectively and efficiently, reducing variability and improving the reliability of audit outcomes. Such accreditations not only boost stakeholder confidence but also ensure that the audit function remains aligned with industry standards and practices.

By implementing strong QA measures, organizations can ensure that their audit processes are compliant with standards and contribute effectively to overall governance and risk management.

Key Aspects for the CISA Exam

The following table covers the important aspects from the CISA exam perspective:

Table 2.17: Key aspects for the CISA exam

AI is revolutionizing various industries, including auditing. Traditionally, auditing has been a manual and time-consuming process, requiring auditors to sift through large volumes of data to identify discrepancies and ensure compliance. However, with the advent of AI, the audit process is becoming more efficient, accurate, and insightful. AI can analyze vast amounts of data quickly, identify patterns, and even predict potential risks, making it an invaluable tool in modern auditing.

How Does AI Work in Auditing?

AI refers to the ability of machines to perform tasks that typically require human intelligence. This includes learning from experience, understanding complex patterns, making decisions, and even recognizing natural language. In the context of auditing, AI can be used to automate repetitive tasks such as data entry or reconciliation of data, analyze data more comprehensively, and provide insights that might be missed by human auditors.

Benefits of Using AI in Audit Processes

The integration of AI in audit processes offers several significant benefits:

• Increased efficiency: AI can process and analyze large datasets much faster than humans. This reduces the time required for audits and allows auditors to focus on more complex and judgment-based aspects of their work.
• Improved accuracy: AI algorithms can identify patterns and anomalies that might be overlooked by human auditors. This leads to more accurate identification of risks and errors, enhancing the overall quality of the audit.
• Continuous auditing: AI can facilitate continuous auditing by constantly monitoring transactions and data flows. This real-time analysis helps in identifying issues as they occur, rather than waiting for periodic audits.
• Cost savings: By automating routine tasks, AI reduces the need for extensive manual labor, leading to cost savings for organizations. This can be particularly beneficial for large companies with complex audit requirements.

Risks of Using AI in Audit Processes

While AI offers many advantages, its use in auditing also comes with certain risks. These are described here:

• Data privacy and security risks: AI systems require access to large amounts of data, which can raise concerns about data privacy and security. Ensuring that AI tools comply with data protection regulations is crucial.
• Algorithm bias: AI systems can sometimes exhibit biases based on the data they are trained on. If the training data is biased, the AI’s decisions may also be biased, potentially leading to inaccurate audit results.
• Dependence on technology: Over-reliance on AI might lead to a reduction in critical-thinking skills among auditors. It’s important to balance AI use with human judgment to ensure a comprehensive audit.
• Complexity and understanding: AI systems can be complex and difficult to understand. Auditors need to be trained to understand how these systems work and to interpret their findings correctly.

Use Cases of AI in the Audit Process

AI is already being used in various aspects of the audit process. The following are some example use cases of AI in the audit process:

• Data analysis: AI can analyze financial transactions, identify anomalies, and flag potential areas of concern. For instance, AI can detect unusual patterns that may indicate fraud or non-compliance.
• Document review: AI tools can review and analyze large volumes of documents, such as contracts and agreements, to ensure compliance with regulations and identify any discrepancies.
• Risk assessment: AI can help in assessing risks by analyzing historical data and predicting future trends. This enables auditors to focus on high-risk areas and take preventive measures.
• Compliance monitoring: AI systems can continuously monitor transactions and activities to ensure compliance with laws and regulations. This is particularly useful in industries with stringent regulatory requirements.
• IT system audits: AI can evaluate the security and performance of IT systems by analyzing logs and detecting unusual activities that may indicate security threats or system failures.
• Network traffic analysis: AI can monitor network traffic to identify potential security breaches or unusual patterns that could indicate malware or unauthorized access.
• Software license compliance: AI can audit software usage to ensure compliance with licensing agreements, helping organizations avoid legal and financial penalties.

Best Practices for Using AI in Audit Process

To maximize the benefits of AI in auditing while minimizing the risks, it’s essential to follow certain best practices:

• Ensure data quality and integrity: Ensure that the data used for training AI models is accurate, complete, and free from biases. High-quality data leads to more reliable AI outputs.
• Ensure transparency and explainability: Use AI tools that provide transparency in their operations and make it easy to understand how decisions are made. This helps auditors trust and verify AI findings.
• Implement continuous learning and updates: Regularly update AI models to reflect the latest data and trends. Continuous learning helps AI tools adapt to changing conditions and improve over time.
• Implement ethical considerations: Consider the ethical implications of using AI, such as data privacy, fairness, and accountability. Ensure that AI systems are used responsibly and do not violate ethical standards.
• Implement human supervision: While AI can automate many tasks, human supervision is crucial. Auditors should review AI outputs, provide context, and make final decisions to ensure a balanced and comprehensive audit process.
• Invest in training and skill development: Invest in training for auditors to understand AI tools and techniques. This helps them use AI effectively and interpret its findings accurately.
• Integrate with the existing processes: Seamlessly integrate AI tools with existing audit processes and systems. This ensures that AI complements, rather than disrupts, traditional auditing methods.

In this chapter, you explored various aspects of audit project management and learned about different sampling techniques. You also explored different audit evidence collection techniques, reporting techniques, and practical aspects of CSA.

The following are some of the important takeaways from this chapter:

• The initial step in designing an audit plan is to determine the audit universe for the organization. The audit universe is the list of all the processes and systems under the scope of the audit. Once the audit universe is identified, a risk assessment is to be conducted to identify the critical processes and systems.
• Statistical sampling is the preferred mode of sampling when the probability of error must be objectively quantified.
• It is advisable to report the findings even if corrective action is taken by the auditee. For any action taken on the basis of audit observation, the audit report should identify the finding and describe the corrective action taken.
• The objective of CSA is to involve functional staff to monitor high-risk processes. CSA aims to educate line management in the area of control responsibility and monitoring. The replacement of audit functions is not the objective of CSA.
• Agile auditing is a flexible approach to auditing to better adapt to rapid changes in the business environment. Breaking audits into smaller, manageable “sprints” allows for quicker identification of risks, enhanced collaboration with stakeholders, and continuous improvement of audit processes. This method is especially effective in dynamic environments where traditional audit processes may be too slow to respond to evolving risks and priorities.
• QA in the audit process is essential for ensuring audits are reliable and effective by adhering to established standards, with the audit committee providing oversight, IS auditors engaging in continuous education, and performance monitoring of the IS audit function. These practices help maintain the independence and objectivity of audits, enable auditors to stay updated on technological and regulatory changes, and ensure audits are continuously improved to meet their objectives.
• AI is transforming the audit process by increasing efficiency, improving accuracy, and providing deeper insights through the rapid analysis of large datasets. While AI enhances the speed and effectiveness of audits and facilitates continuous monitoring, it is crucial to manage risks such as data privacy, algorithmic bias, and reliance on technology by ensuring data quality, maintaining human oversight, and regularly updating AI models.

In the next chapter, you will explore the enterprise governance of IT and related frameworks.

Apart from mastering key concepts, strong test-taking skills under time pressure are essential for acing your certification exam. That’s why developing these abilities early in your learning journey is critical.

Exam readiness drills, using the free online practice resources provided with this book, help you progressively improve your time management and test-taking skills while reinforcing the key concepts you’ve learned.

HOW TO GET STARTED

• Open the link or scan the QR code at the bottom of this page
• If you have unlocked the practice resources, already log in to your registered account. If you haven’t, follow the instructions in Chapter 13 and come back to this page.
• Once you log in, click the START button to start a quiz
• We recommend attempting a quiz multiple times till you’re able to answer most of the questions correctly and well within the time limit.
• You can use the following practice template to help you plan your attempts :

The above drill is just an example. Design your drills based on your own goals and make the most out of the online quizzes accompanying this book.

First time accessing the online resources?

You’ll need to unlock them through a one-time process. Head to Chapter 13 for instructions.