You're reading from CISA – Certified Information Systems Auditor Study Guide Achieve CISA certification with practical examples and over 850 exam-oriented practice questions

Product type Paperback

Published in Jun 2023

Publisher Packt

ISBN-13 9781803248158

Length 330 pages

Edition 2nd Edition

Concepts

Information Security

Author (1):

Hemang Doshi

View More author details

Table of Contents (14) Chapters

Preface

1. Chapter 1: Audit Planning

2. Chapter 2: Audit Execution FREE CHAPTER

3. Chapter 3: IT Governance

4. Chapter 4: IT Management

5. Chapter 5: Information Systems Acquisition and Development

6. Chapter 6: Information Systems Implementation

7. Chapter 7: Information Systems Operations

8. Chapter 8: Business Resilience

9. Chapter 9: Information Asset Security and Control

10. Chapter 10: Network Security and Control

11. Chapter 11: Public Key Cryptography and Other Emerging Technologies

12. Chapter 12: Security Event Management

13. Other Books You May Enjoy

Audit Evidence Collection Techniques

Auditing is a process of providing an opinion (in the form of a written audit report) about the functions or processes under the scope of an audit. This audit opinion is based on the evidence obtained during the audit. Audit evidence is critical in the audit as audit opinions are based on reliability, competence, and objectivity. The objective and scope of an audit are the most significant factors when determining the extent of the data requirements.

Reliability of Evidence

An IS auditor should consider the sufficiency, competency, and reliability of the audit evidence. Evidence can be considered competent when it is valid and relevant. The following factors determine the reliability of audit evidence.

Independence of the Evidence Provider

The source of the evidence determines the reliability of the evidence. External evidence (obtained from a source outside the organization) is more reliable than evidence obtained from within the organization. A signed agreement with external parties is considered more reliable.

Qualifications of the Evidence Provider

The qualifications and experience of the evidence provider are major factors when determining the reliability of audit evidence. Information gathered from someone without relevant qualifications or experience may not be reliable.

Objectivity of the Evidence

Evidence based on judgment (involving subjectivity) is less reliable than objective evidence. Objective audit evidence does not have scope for different interpretations.

Timing of the Evidence

Audit evidence that is dynamic in nature (such as logs, files, and documents that are updated frequently) should be considered based on relevant timing.

The following figure highlights the evidence-related guidelines:

Figure 2.6: Evidence-related guidelines

The rules shown in the preceding figure are very important from a CISA exam perspective. An IS auditor should also be aware of the best practices and techniques to gather evidence. These are discussed in the next section.

Evidence-Gathering Techniques

The following techniques are used by IS auditors to gather evidence during the audit process:

Factors	Descriptions
Review the organization’s structure	The IS auditor should review the organization’s structure and governance model. This will help the auditor determine the control environment of the enterprise.
Review IS policies, processes, and standards	The audit team should review the IS policies, procedures, and standards and determine the effectiveness of the controls implemented. The audit team should also determine whether IS policies and procedures are reviewed periodically and approved by a competent authority.
Observations	The IS auditor should observe the process to determine the following: The skill and experience of the staff The security awareness of the staff The existence of segregation of duties (SoD)
Interview technique	The IS auditor should have the skill and competency to conduct interviews tactfully. Interview questions should be designed in advance to ensure that all topics are covered. To the greatest extent possible, interview questions should be open-ended to gain insight into the process. The staff being interviewed should be made comfortable and encouraged to share information and areas of concern.
Re-performance	In re-performance, the IS auditor performs the activity that is originally performed by the staff of the organization. Re-performance provides better evidence than other techniques. It should be used when other methods do not provide sufficient assurance about control effectiveness.
Process walk-through	A process walk-through is done by the auditor to confirm the understanding of the policies and processes.

Table 2.8: Evidence-gathering factors and their descriptions

The evaluation of evidence is a subjective matter, and the auditor needs the relevant skills, experience, and qualifications to judge the relevance, sufficiency, and appropriateness of the audit evidence. In the case of inconclusive evidence, it is recommended to perform an additional test to confirm the accuracy of the audit findings.

Evidence should be evaluated based on the business environment and the complexity of the business processes. The following are some general guidelines for evidence evaluation:

In the case of unavailability of evidence, the auditor should report the relevant risk in the audit report.
Evidence obtained from a relevant third party is considered more reliable compared to internal evidence. An audit report by a qualified auditor is considered more reliable than a confirmation letter received from a third party.
Evidence collected by the audit team directly from the source is considered more reliable compared to evidence provided by business units.

Computer-Assisted Audit Techniques (CAATs) are the most effective auditing tools for computerized environments. The use of a CAAT ensures the reliability of audit evidence as data is directly collected, processed, and analyzed by the IS auditor.

Key Aspects from the CISA Exam Perspective

The following table covers important aspects from the CISA exam perspective:

CISA Questions	Possible Answers
What does the extent of the data requirements for the audit depend on?	The objective and scope of the audit.
What should audit findings be supported by?	Sufficient and appropriate audit evidence.
What is the most important reason to obtain sufficient audit evidence?	To provide a reasonable basis for drawing conclusions.
What is the most effective tool for obtaining audit evidence through digital data?	Computer-assisted auditing techniques.
What is the most important advantage of using CAATs for gathering audit evidence?	CAATs provide assurance about the reliability of the evidence collected.
What type of evidence is considered most reliable?	Evidence directly collected from the source by an IS auditor is considered to be the most reliable. The source of evidence should be independent.
What is the primary reason for a functional walk-through?	To understand the business process.