Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
CISA – Certified Information Systems Auditor Study Guide
CISA – Certified Information Systems Auditor Study Guide

CISA – Certified Information Systems Auditor Study Guide: Achieve CISA certification with practical examples and over 850 exam-oriented practice questions , Second Edition

eBook
$32.99 $47.99
Paperback
$59.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
Table of content icon View table of contents Preview book icon Preview Book

CISA – Certified Information Systems Auditor Study Guide

Audit Execution

This Book Comes with Free Online Content

With this book, you get unlimited access to web-based CISA exam prep tools which include practice questions, flashcards, exam tips, and more.

Figure 1.1: CISA Online Practice Resources Dashboard

Figure 2.1: CISA online practice resources dashboard

To unlock the content, you’ll need to create an account using your unique sign-up code provided with this book. Refer to the Instructions for Unlocking the Online Content section in the Preface on how to do that.

Accessing the Online Content

If you’ve already created your account using those instructions, visit packt.link/cisastudyguidewebsite or scan the following QR code to quickly open the website.

Figure 2.2: QR Code to access CISA Online Practice Resources Main Page

Figure 2.2: QR Code to access CISA online practice resources main page

Once there, click the Login link in the top-right corner of the page to access the content using your credentials.

In this chapter, you will learn about audit execution processes such as project management techniques, sampling methodology, and audit evidence collection techniques. These topics are important because Information Systems (IS) auditors should be aware of the audit execution process.

The following topics will be covered in this chapter:

  • Audit project management
  • Sampling methodology
  • Audit evidence collection techniques
  • Data analytics
  • Reporting and communication techniques
  • Control self-assessment

By the end of the chapter, you will have detailed knowledge of IS, business, and risk management processes that help protect the assets of an organization.

Audit Project Management

An audit includes various activities, such as audit planning, resource allocation, determining the audit scope and audit criteria, reviewing and evaluating audit evidence, forming audit conclusions, and reporting to management. All these activities are integral parts of an audit, and project management techniques are equally applicable to audit projects.

The following are the basic steps for managing and monitoring audit projects:

Figure 2.3: Basic steps for managing and monitoring audit projects

Figure 2.3: Basic steps for managing and monitoring audit projects

The activities mentioned in the preceding figure are all performed to achieve specific audit objectives. These are discussed in the next section.

Audit Objectives

Audit objectives are the expected outcomes of the audit activities. They refer to the intended goals that the audit must accomplish. Determining the audit objectives is a very important step in planning an audit. Generally, audits are conducted to achieve the following objectives:

  • To confirm that internal control exists
  • To evaluate the effectiveness of internal controls
  • To confirm compliance with statutory and regulatory requirements

An audit also provides reasonable assurance about the coverage of material items.

Audit Phases

The audit process has three phases. The first phase is about planning, the second phase is about execution, and the third phase is about reporting. An IS auditor should be aware of the phases of an audit process shown in the following tables.

Phase

Audit Steps

Description

Planning Phase

Assess risk and determine audit area

The first step is to conduct a risk assessment and identify the function, process, system, and physical location to be audited.

Determine audit objective

  • The primary goal during the planning stage of an IS audit is to address the audit objectives.
  • The audit objective, i.e. the audit purpose, is also to be determine.
  • An audit may be conducted for regulatory or contractual requirements.

Determine the audit scope

  • The next step is to identify and determine the scope of the audit.
  • The scope may be restricted to a few applications or few processes only.
  • Defining the scope will the help auditor determine the resources required for conducting of the audit

Conduct pre-audit planning

  • Pre audit planning includes understanding the business environment and the relevant regulations.
  • It includes conducting risk assessments to determine areas of high risk.
  • It also includes determining resource requirements and audit timings.

Determine audit procedures

  • The audit program is designed on the basis of pre-audit information, which includes resource allocation and audit procedures to be followed.
  • During this step, audit tools and audit methodology are developed to test and verify the controls.

Execution Phase

Gather data

  • Next step is to gather relevant data and documents for the conduct of audit.

Evaluate controls

  • Once the required information, data and documents are available, the auditor is required to evaluate the controls to verify their effectiveness and efficiency of the controls.

Validate and document the results

  • Audit observations should be validated and documented along with the relevant evidence.

Reporting Phase

Draft report

  • A draft report should be issued for obtaining comments from management on the audit observations.
  • Before issuance of the final report, the draft report should be discussed with management.

Issue report

  • The final report should contain audit findings, recommendations, comments, and the expected date of closure of the audit findings.

Follow up

  • Follow-up should be done to determine whether the audit findings are closed and a follow-up report should be issued.

Table 2.1: Phases of an audit process

For the CISA exam, please note down the following steps for the audit process:

Figure 2.4: Steps followed in an audit

Figure 2.4: Steps followed in an audit

It should be noted that the steps should be followed in chronological sequence for the success of the audit project and to achieve the audit objectives.

Fraud, Irregularities, and Illegal Acts

The implementation of internal controls does not necessarily eliminate fraud. An IS auditor should be aware of the possibilities, circumstances, and opportunities that can lead to fraud and other irregularities. The IS auditor should observe and exercise due professional care to ensure that internal controls are appropriate, effective, and efficient to prevent or detect fraud, irregularities, and illegal acts.

In the case of suspicious activity, the IS auditor may communicate the need for a detailed investigation. In the case of a major fraud being identified, audit management should consider reporting it to the audit committee board.

Key Aspects from the CISA Exam Perspective

The following table covers the important aspects from the CISA exam perspective:

CISA Questions

Possible Answers

What does an IS audit provide?

Reasonable assurance about the coverage of material items

What is the first step of an audit project?

To develop an audit plan

What is the major concern in the absence of established audit objectives?

Not being able to determine key business risks

What is the primary objective of performing a risk assessment prior to the audit?

Allocating audit resources to areas of high risk

What is the first step of the audit planning phase?

Conducting risk assessments to determine the areas of high risk

Table 2.2: Key aspects from the CISA exam perspective

Sampling Methodology

Sampling is the process of selecting data from a population. By analyzing samples, characteristics of the entire population can be identified. Sampling is performed when it is not feasible to study the entire population due to time and cost constraints. Therefore, samples are a subset of the population.

Sampling Types

This is a very important topic from a CISA exam perspective. Two or three questions can be expected from this topic. A CISA candidate should have an understanding of the following sampling techniques:

Sampling Types

Description

Statistical sampling

This is an objective sampling technique.

This is also known as non-judgmental sampling.

It uses the laws of probability, where each unit has an equal chance of selection.

In statistical sampling, the probability of error can be objectively quantified, and hence the detection risk can be reduced.

Non-statistical sampling

This is a subjective sampling technique.

It’s also known as judgmental sampling.

The auditor uses their experience and judgment to select the samples that are material and represent a higher risk.

Attribute sampling

Attribute sampling is the simplest kind of sampling based on certain attributes; it measures basic compliance.

It answers the question, “How many?”

It is expressed as a percentage—for example, “90% complied.”

Attribute sampling is usually used in compliance testing.

Variable sampling

Variable sampling offers more information than attribute sampling.

It answers the question, “How much?”

It is expressed in monetary value, weight, height, or some other measurement—for example, “an average profit of $25,000.”

Variable sampling is usually used in substantive testing.

Stop-or-go sampling

Stop-or-go sampling is used where controls are strong and very few errors are expected.

It helps to prevent excess sampling by allowing the audit test to end at the earliest possible moment.

Discovery sampling

Discovery sampling is used when the objective is to detect fraud or other irregularities.

If a single error is found, the entire sample is believed to be fraudulent/irregular.

Table 2.3: Types of sampling and their descriptions

The following diagram will help you to understand the answers to specific CISA questions:

Figure 2.5: Different types of sampling

Figure 2.5: Different types of sampling

Also, remember the term AC-VSAttribute Sampling for Compliance Testing and Variable Sampling for Substantive Testing.

Sampling Risk

Sampling risk refers to the risk that a sample is not a true representation of the population. The conclusion drawn by analyzing the sample may be different from the conclusion that would have been drawn by analyzing the entire population.

Other Sampling Terms

A CISA candidate should be aware of the following terms related to sampling.

The Confidence Coefficient

A confidence coefficient, or confidence level, is a measure of the accuracy of and confidence in the quality of a sample. The sample size and confidence correlation are directly related. A high sample size will give a high confidence coefficient.

Look at the following example:

Population

Sample Size

Confidence Correlation

100

95

95%

50

50%

25

25%

Table 2.4: Example of confidence coefficient

In the case of poor internal controls, the auditor may want to verify 95 samples (sample size) out of a total population of 100. This gives a 95% confidence correlation.

In the case of strong internal controls, the auditor may be satisfied with only 25 samples out of the total population of 100. This gives a 25% confidence correlation.

Level of Risk

The level of risk can be derived by deducting the confidence coefficient from 1. For example, if the confidence coefficient is 95%, then the level of risk is 5% (100%–95%).

Expected Error Rate

This indicates the expected percentage of errors that may exist. When the expected error rate is high, the auditor should select a higher sample size.

Tolerable Error Rate

This indicates the maximum error rate that can exist without the audit result being materially misstated.

Sample Mean

The sample mean is the average of all collected samples. It is derived by adding all the samples and dividing the sum by the number of samples.

Sample Standard Deviation

This indicates the variance of the sample value from the sample mean.

Compliance versus Substantive Testing

A CISA candidate should be able to differentiate between compliance testing and substantive testing. They should be able to determine which type of testing is to be performed under different scenarios.

The Differences between Compliance Testing and Substantive Testing

The following table differentiates between compliance and substantive testing:

Compliance Testing

Substantive Testing

Compliance testing involves the verification of the controls of a process.

Substantive testing involves the verification of data or transactions.

Compliance testing checks for the presence of controls.

Substantive testing checks for the completeness, accuracy, and validity of the data.

In compliance testing, attribute sampling is preferred.

In substantive testing, variable sampling is preferred.

Table 2.5: Differences between compliance testing and substantive testing

Essentially, verifying whether a control is present or not is compliance testing. Meanwhile, verification of the complete process by testing the data/transaction to “substantiate” that the process is working is substantive testing.

Examples of Compliance Testing and Substantive Testing

The following examples will further help you understand the different use cases of compliance testing and substantive testing:

Compliance Testing

Substantive Testing

To check for controls in router configuration

To count and confirm the physical inventory

To check for controls in the change management process

To confirm the validity of inventory valuation calculations

Verification of system access rights

To count and confirm cash balance

Verification of firewall settings

Examining the trial balance

Reviewing compliance with the password policy

Examining other financial statements

Table 2.6: Differences between the use cases of compliance testing and substantive testing

The Relationship between Compliance Testing and Substantive Testing

A CISA candidate should understand the following points about the relationship between compliance testing and substantive testing:

  • Ideally, compliance testing should be performed first and should be followed by substantive testing.
  • The outcome of compliance testing is used to plan for a substantive test. If the outcome of compliance testing indicates the existence of effective internal controls, then substantive testing may not be required or may be reduced. However, if the outcome of compliance testing indicates a poor internal control system, more rigorous substantive testing is required. Thus, the design of substantive tests is often dependent on the result of compliance testing.
  • The attribute sampling technique (which indicates that a control is either present or absent) is useful for compliance testing, whereas variable sampling will be useful for substantive testing.

Apart from the appropriate sampling technique, another important aspect of the audit process is using appropriate evidence-gathering techniques. Audit evidence should be collected properly to establish its reliability. Details on the reliability of audit evidence and collection techniques are covered in the next section.

Key Aspects from the CISA Exam Perspective

The following table covers important aspects from the CISA exam perspective:

CISA Questions

Possible Answers

Which sampling technique should be used when the probability of error must be objectively quantified?

Statistical sampling.

How can sampling risk be mitigated?

By using statistical sampling.

Which sampling method is most useful when testing for compliance?

Attribute sampling.

In the case of a strong internal control, should the confidence coefficient/sample size be increased or lowered?

The confidence coefficient/sampling size may be lowered.

Which sampling method would best assist auditors when there are concerns of fraud?

Discovery sampling.

How can you differentiate between compliance testing and substantive testing?

The objective of compliance testing is to test the presence of controls, whereas the objective of substantive testing is to test individual transactions. Take the example of asset inventory:

Compliance testing verifies whether a control exists for inward/outward movement of the assets.

Verifying the count of physical assets and comparing it with records is substantive testing.

What are some examples of compliance testing?

To verify the configuration of a router for controls.

To verify the change management process to ensure controls are effective.

Reviewing system access rights.

Reviewing firewall settings.

Reviewing compliance with a password policy.

What are some examples of substantive testing?

A physical inventory of the tapes at the location of offsite processing.

Confirming the validity of the inventory valuation calculations.

Conducting a bank confirmation to test cash balances.

Examining the trial balance.

Examining other financial statements.

In what scenario can the substantive test procedure be reduced?

The internal control is strong/the control risk is within acceptable limits.

Table 2.7: Key aspects from the CISA exam perspective

Audit Evidence Collection Techniques

Auditing is a process of providing an opinion (in the form of a written audit report) about the functions or processes under the scope of an audit. This audit opinion is based on the evidence obtained during the audit. Audit evidence is critical in the audit as audit opinions are based on reliability, competence, and objectivity. The objective and scope of an audit are the most significant factors when determining the extent of the data requirements.

Reliability of Evidence

An IS auditor should consider the sufficiency, competency, and reliability of the audit evidence. Evidence can be considered competent when it is valid and relevant. The following factors determine the reliability of audit evidence.

Independence of the Evidence Provider

The source of the evidence determines the reliability of the evidence. External evidence (obtained from a source outside the organization) is more reliable than evidence obtained from within the organization. A signed agreement with external parties is considered more reliable.

Qualifications of the Evidence Provider

The qualifications and experience of the evidence provider are major factors when determining the reliability of audit evidence. Information gathered from someone without relevant qualifications or experience may not be reliable.

Objectivity of the Evidence

Evidence based on judgment (involving subjectivity) is less reliable than objective evidence. Objective audit evidence does not have scope for different interpretations.

Timing of the Evidence

Audit evidence that is dynamic in nature (such as logs, files, and documents that are updated frequently) should be considered based on relevant timing.

The following figure highlights the evidence-related guidelines:

Figure 2.6: Evidence-related guidelines

Figure 2.6: Evidence-related guidelines

The rules shown in the preceding figure are very important from a CISA exam perspective. An IS auditor should also be aware of the best practices and techniques to gather evidence. These are discussed in the next section.

Evidence-Gathering Techniques

The following techniques are used by IS auditors to gather evidence during the audit process:

Factors

Descriptions

Review the organization’s structure

  • The IS auditor should review the organization’s structure and governance model.
  • This will help the auditor determine the control environment of the enterprise.

Review IS policies, processes, and standards

  • The audit team should review the IS policies, procedures, and standards and determine the effectiveness of the controls implemented.
  • The audit team should also determine whether IS policies and procedures are reviewed periodically and approved by a competent authority.

Observations

  • The IS auditor should observe the process to determine the following:
    • The skill and experience of the staff
    • The security awareness of the staff
    • The existence of segregation of duties (SoD)

Interview technique

  • The IS auditor should have the skill and competency to conduct interviews tactfully.
  • Interview questions should be designed in advance to ensure that all topics are covered.
  • To the greatest extent possible, interview questions should be open-ended to gain insight into the process.
  • The staff being interviewed should be made comfortable and encouraged to share information and areas of concern.

Re-performance

  • In re-performance, the IS auditor performs the activity that is originally performed by the staff of the organization.
  • Re-performance provides better evidence than other techniques.
  • It should be used when other methods do not provide sufficient assurance about control effectiveness.

Process walk-through

  • A process walk-through is done by the auditor to confirm the understanding of the policies and processes.

Table 2.8: Evidence-gathering factors and their descriptions

The evaluation of evidence is a subjective matter, and the auditor needs the relevant skills, experience, and qualifications to judge the relevance, sufficiency, and appropriateness of the audit evidence. In the case of inconclusive evidence, it is recommended to perform an additional test to confirm the accuracy of the audit findings.

Evidence should be evaluated based on the business environment and the complexity of the business processes. The following are some general guidelines for evidence evaluation:

  • In the case of unavailability of evidence, the auditor should report the relevant risk in the audit report.
  • Evidence obtained from a relevant third party is considered more reliable compared to internal evidence. An audit report by a qualified auditor is considered more reliable than a confirmation letter received from a third party.
  • Evidence collected by the audit team directly from the source is considered more reliable compared to evidence provided by business units.

Computer-Assisted Audit Techniques (CAATs) are the most effective auditing tools for computerized environments. The use of a CAAT ensures the reliability of audit evidence as data is directly collected, processed, and analyzed by the IS auditor.

Key Aspects from the CISA Exam Perspective

The following table covers important aspects from the CISA exam perspective:

CISA Questions

Possible Answers

What does the extent of the data requirements for the audit depend on?

The objective and scope of the audit.

What should audit findings be supported by?

Sufficient and appropriate audit evidence.

What is the most important reason to obtain sufficient audit evidence?

To provide a reasonable basis for drawing conclusions.

What is the most effective tool for obtaining audit evidence through digital data?

Computer-assisted auditing techniques.

What is the most important advantage of using CAATs for gathering audit evidence?

CAATs provide assurance about the reliability of the evidence collected.

What type of evidence is considered most reliable?

Evidence directly collected from the source by an IS auditor is considered to be the most reliable. The source of evidence should be independent.

What is the primary reason for a functional walk-through?

To understand the business process.

Table 2.9: Key aspects from the CISA exam perspective

Data Analytics

Data Analytics (DA) is the method of examining data or information. It helps you to understand the data by transforming raw data into usable and meaningful information.

Examples of the Effective Use of Data Analytics

The following are some examples of the use of DA:

  • To determine whether a user is authorized by combining logical access files with the human resource employee database
  • To determine whether events are authorized by combining the file library settings with change management system data and the date of file changes
  • To identify tailgating by combining input with output records
  • To review system configuration settings
  • To review logs for unauthorized access

CAATs

CAATs are extremely useful to IS auditors for gathering and analyzing large and complex data during an IS audit. CAATs help an IS auditor collect evidence from different hardware, software environments, and data formats.

The following table presents a breakdown of the functions of CAAT tools:

CAAT Tools

Functions

General Audit Software

This is a standard type of software that is used to read and access data directly from various database platforms.

Utility and Scanning Software

This helps in generating reports of the database management system.

It scans all the vulnerabilities in the system.

Debugging

This helps in identifying and removing errors from computer hardware or software.

Test Data

This is used to test processing logic, computations, and controls programmed in computer applications.

Table 2.10: Breakdown of CAAT functions

A CAAT helps an IS auditor collect information independently. Information obtained through CAATs is considered more reliable.

Examples of the Effective Use of CAAT Tools

The following are some examples of use cases for CAAT tools:

  • To determine the accuracy of transactions and balances
  • For detailed analysis
  • To ascertain compliance with IS general controls
  • To ascertain compliance with IS application controls
  • To assess network and operating system controls
  • For vulnerability and penetration testing
  • For the security scanning of source code and AppSec testing

Precautions while Using CAAT

An auditor should be aware of the following precautions when using CAAT tools:

  • Ensure the integrity of imported data by safeguarding its authenticity, integrity, and confidentiality
  • Obtain approval for installing the CAAT software on the auditee servers
  • Obtain only read-only access when using CAATs on production data
  • Edits/modifications should be applied to duplicate data and the integrity of the original data should be ensured

Continuous Auditing and Monitoring

A CISA candidate should understand the difference between continuous auditing and continuous monitoring:

Continuous Auditing

Continuous Monitoring

In continuous auditing, an audit is conducted in a real-time or near-real-time environment. In continuous auditing, the gap between operations and an audit is much shorter than under a traditional audit approach.

In continuous monitoring, the relevant process of a system is observed on a continuous basis.

For example, high payouts are audited immediately after a payment is made.

For example, antivirus or IDSs may continuously monitor a system or a network for abnormalities.

Table 2.11: Differences between continuous auditing and continuous monitoring

Continuous auditing and continuous monitoring are mutually exclusive. Continuous assurance can be ensured if both continuous monitoring and continuous auditing are in place. Generally, the results of continuous auditing are the precursor for the introduction of a continuous monitoring process.

Continuous Auditing Techniques

For IS audits, continuous audit techniques are extremely important tools. The following are the five widely used continuous audit tools.

Integrated Test Facility

The following are the features of an Integrated Test Facility (ITF).

In an ITF, a fictitious entity is created in the production environment:

  • The auditor may enter test or dummy transactions and check the processing and results of these transactions for correctness.
  • Processed results and expected results are evaluated to check the proper functioning of systems.
  • For example, with the ITF technique, a test transaction is entered. The processing results of the test transaction are compared with the expected results to determine the accuracy of processing. If the processed results match the expected results, then it determines that the processing is correct. Once the verification is complete, test data is deleted from the system.

System Control Audit Review File

The following are the features of a System Control Audit Review File (SCARF):

  • In this technique, an audit module is embedded (inbuilt) into the organization’s host application to track transactions on an ongoing basis.
  • A SCARF is used to obtain data or information for audit purposes.
  • SCARFs record transactions above a specified limit or deviation-/exception-related transactions. These transactions are then reviewed by the auditor.
  • SCARFs are useful when regular processing cannot be interrupted.

Snapshot Technique

The following are the features of the snapshot technique:

  • This technique captures snapshots or pictures of the transaction as it is processed at different stages in the system.
  • Details are captured both before and after the execution of the transaction. The correctness of the transaction is verified by validating the before-processing and after-processing snapshots of the transactions.
  • Snapshots are useful when an audit trail is required.
  • The IS auditor should consider the following significant factors when working with this technique:
    • At what location snapshots are captured
    • At what time snapshots are captured
    • How the reporting of snapshot data is done

Audit Hook

The following are the features of an audit hook:

  • Audit hooks are embedded in the application system to capture exceptions.
  • The auditor can set different criteria to capture exceptions or suspicious transactions.
  • For example, with the close monitoring of cash transactions, the auditor can set criteria to capture cash transactions exceeding $10,000. All these transactions are then reviewed by the auditor to identify fraud, if any.
  • Audit hooks are helpful in the early identification of irregularities, such as fraud or error.
  • Audit hooks are generally applied when only selected transactions need to be evaluated.

Continuous and Intermittent Simulation

The following are the features of Continuous and Intermittent Simulation (CIS):

  • CIS replicates or simulates the processing of the application system.
  • In this technique, a simulator identifies transactions as per the predefined parameters. Identified transactions are then audited for further verification and review.
  • CIS compares its own results with the results produced by application systems. If any discrepancies are noted, it is written to the exception log file.
  • CIS is useful to identify the transactions as per the predefined criteria in a complex environment.

The following table summarizes the features of continuous audit tools:

Audit Tool

Usage

SCARF/EAM

This is useful when regular processing cannot be interrupted.

Snapshots

Pictures or snapshots are used when an audit trail is required.

Audit hooks

When early detection of fraud or error is required.

ITF

Test data is used in a production environment

CIS

CIS is useful for the identification of transactions as per predefined criteria in a complex environment.

Table 2.12: Types of continuous audit tools and their features

An IS auditor should be aware of the methods and procedures through which analysis and findings are reported to the audit committee and senior management. The effective reporting of audit findings and communicating the findings to all the stakeholders are very important parts of audit execution; these are covered in more detail in the next section.

Key Aspects from the CISA Exam Perspective

The following table covers important aspects from the CISA exam perspective:

CISA Questions

Possible Answers

What is the first step of conducting data analytics?

The first step will be determining the objective and scope of analytics.

Which is the most effective online audit technique when an audit trail is required?

The snapshot technique.

What is the advantage of an Integrated Test Facility (ITF)?

Setting up a separate test environment/test process is not required.

An ITF helps validate the accuracy of the system processing.

Which is the most effective online audit technique when the objective is to identify transactions as per predefined criteria?

CIS is most useful to identify transactions as per predefined criteria in a complex environment.

Table 2.13: Key aspects from the CISA exam perspective

Reporting and Communication Techniques

Audit reporting and following up for closure are the last steps of the audit process. The effectiveness of an audit largely depends on how the audit results are communicated and how follow-up is done for the closure of recommendations. Effective verbal and written communication skills are key attributes of a good auditor. A CISA candidate is expected to have a thorough understanding of the elements of an exit interview, audit report objectives, the process and structure, and follow-up activities.

Exit Interview

Auditing is not about finding errors. It is about adding value to the existing processes of an organization.

A formal exit interview is essential before the audit report is released. The following are the objectives of an exit interview:

  • To ensure that the facts are appropriately and correctly presented in the report
  • To discuss recommendations with auditee management
  • To discuss an implementation date

The exit meeting ensures that facts are not misunderstood or misinterpreted. Exit meetings help to align the audit team and auditee management on the findings that are presented, discussed, and agreed upon.

Audit Reporting

A CISA candidate should note the following best practices with respect to audit reporting:

  • The IS auditor is ultimately responsible for senior management and the final audit report should be sent to the Audit Committee of the Board (ACB). If the IS auditor has no access to the top officials and the audit committee, it will impact the auditor’s independence.
  • Before the report is placed with the ACB, the IS auditor should discuss with auditee management to determine the accuracy of the audit observations and to understand the correction plan.
  • Sometimes, auditee management may not agree with the audit findings and recommendations. In such cases, IS auditors should emphasize the significance of the audit findings and the risk of not taking any corrective action.
  • If there is any control weakness that is not within the scope of the audit, it should be reported to management during the audit process. This should not be overlooked. Generally, accepted audit procedures require audit results to be reported even if the auditee takes corrective action prior to reporting.
  • To support the audit results, the IS auditor should have clear and accurate audit facts.

Audit Report Objectives

The following are the six objectives of audit reporting:

  • The presentation of audit findings/results to all the stakeholders (that is, the auditees).
  • The audit report serves as a formal closure for the audit committee.
  • The audit report provides assurance to the organization. It identifies the areas that require corrective action and associated suggestions.
  • The audit report serves as a reference for any party researching the auditee or audit topic.
  • It helps in follow-ups of audit findings presented in the audit reports for closure.
  • A well-defined audit report promotes audit credibility. This depends on the report being well developed and well written.

Audit Report Structure

An audit report includes the following content:

  • An introduction to the report, which includes the scope of the audit, the limitations of the audit, a statement of the audit objective, the audit period, and so on
  • Audit findings and recommendations
  • Opinion about the adequacy, effectiveness, and efficiency of the control environment

Now you will see a rundown of the main objectives of follow-up activities.

Follow-Up Activities

The main objective of follow-up activities is to validate whether management has implemented the recommendations. An IS auditor needs to determine whether management has acted on corrective actions to close the audit findings. It is essential to have a structured process to determine that corrective actions have been implemented.

Follow-up activities should be taken on the basis of the timeline agreed on by auditee management for the closure of audit findings. The status of compliance should be placed at the appropriate level of management.

Although audit follow-ups are primarily applicable to internal audit functions, external audit firms may be required to do the follow-up if it is included in the letter of engagement.

Key Aspects from the CISA Exam Perspective

The following table covers important aspects from the CISA exam perspective:

CISA Questions

Possible Answers

What is the objective of an audit closure meeting?

To ensure that there have been no misunderstandings or misinterpretations of the facts

What is the objective of conducting a follow-up audit?

To validate remediation action

What is the best way to schedule a follow-up audit?

On the basis of the due date agreed upon by auditee management

Table 2.14: Key aspects from the CISA exam perspective

Control Self-Assessment

Control Self-Assessment (CSA), as the name suggests, is the self-assessment of controls by process owners. For CSA, the employee understands the business process and evaluates the various risks and controls. CSA is a process whereby the process owner gains a realistic view of their own performance.

CSA ensures the involvement of the user group in a periodic and proactive review of risk and control.

Objectives of CSA

The following are the objectives of implementing a CSA program:

  • Make functional staff responsible for control monitoring
  • Enhance audit responsibilities (not to replace the audit’s responsibilities)
  • Concentrate on critical processes and areas of high risk

Benefits of CSA

The following are the benefits of implementing a CSA program:

  • It allows risk detection at an early stage of the process and reduces control costs.
  • It helps in ensuring effective and stronger internal controls, which improves the audit rating process.
  • It helps the process owner take responsibility for control monitoring.
  • It helps in increasing employee awareness of organizational goals. It also helps in understanding the risk and internal controls.
  • It improves communication between senior officials and operational staff.
  • It improves the motivational level of the employees.
  • It provides assurance to all the stakeholders and customers.
  • It provides assurance to top management about the adequacy, effectiveness, and efficiency of the control requirements.

Precautions while Implementing CSA

Due care should be taken when implementing the CSA function. It should not be considered a replacement for the audit function. An audit is an independent function and should not be waived even if CSA is being implemented. CSA and an audit are different functions, and one cannot replace the other.

An IS Auditor’s Role in CSA

The IS auditor’s role is to act as a facilitator for the implementation of CSA. It is the IS auditor’s responsibility to guide the process owners in assessing the risk and control of their environment. The IS auditor should provide insight into the objectives of CSA.

An audit is an independent function and should not be waived even if CSA is being implemented. Both CSA and an audit are different functions and one cannot replace the other.

Key Aspects from the CISA Exam Perspective

The following table covers important aspects from the CISA exam perspective:

CISA Questions

Possible Answers

What is the primary objective of implementing CSA?

To monitor and control high-risk areas

To enhance audit responsibilities

What is the role of the auditor in the implementation of CSA?

To act as a facilitator for the CSA program

What is the most significant requirement for a successful CSA?

Involvement of line management

Table 2.15: Key aspects from the CISA exam perspective

Summary

In this chapter, you explored various aspects of audit project management and learned about different sampling techniques. You also explored different audit evidence collection techniques, reporting techniques, and practical aspects of CSA.

The following are some of the important topics that were covered in this chapter:

  • The initial step in designing an audit plan is to determine the audit universe for the organization. The audit universe is the list of all the processes and systems under the scope of the audit. Once the audit universe is identified, a risk assessment is to be conducted to identify the critical processes and systems.
  • Statistical sampling is the preferred mode of sampling when the probability of error must be objectively quantified.
  • It is advisable to report the finding even if corrective action is taken by the auditee. For any action taken on the basis of audit observation, the audit report should identify the finding and describe the corrective action taken.
  • The objective of CSA is to involve functional staff to monitor high-risk processes. CSA aims to educate line management in the area of control responsibility and monitoring. The replacement of audit functions is not the objective of CSA.

In the next chapter, you will explore the enterprise governance of IT and related frameworks.

Chapter Review Questions

Before you proceed to Chapter 3, IT Governance, it is recommended that you solve the practice questions from this chapter first. These chapter review questions have been carefully crafted to reinforce the knowledge you have gained throughout this chapter. By engaging with these questions, you will solidify your understanding of key topics, identify areas that require further study, and build your confidence before moving on to new concepts in the next chapter.

Note

A few of the questions may not be directly related to the topics in the chapter. They aim to test your general understanding of information systems concepts instead.

The following image shows an example of the practice questions interface.

Figure 2.7: CISA practice questions interface

Figure 2.7: CISA practice questions interface

To access the end-of-chapter questions from this chapter, follow these steps:

  1. Open your web browser and go to https://packt.link/WYjVC. You will see the following screen:
Figure 2.8: Chapter summary and login

Figure 2.8: Chapter summary and login

You can also scan the following QR code to access the website:

Figure 2.9: QR code to access Chapter 2 questions

Figure 2.9: QR code to access Chapter 2 questions

  1. Log in to your account using your credentials. If you haven’t activated your account yet, refer to Instructions for Unlocking the Online Content in the Preface for detailed instructions.

After a successful login, you will see the following screen:

Figure 2.10: Chapter summary and end-of-chapter question sets

Figure 2.10: Chapter summary and end-of-chapter question sets

  1. Click on any of the given sets to begin your practice quiz. The quiz sets are timed as you can see from the following image:
Figure 2.11: Practice questions interface with timer

Figure 2.11: Practice questions interface with timer

When the timer runs out, the quiz will submit automatically. Attempt each quiz multiple times till you are able to answer all questions not just correctly, but within the time limit as well

Chapter Benchmark Score

Before moving on to the next chapter, it is recommended that you score an average of 75% on the end-of-chapter practice quizzes. By actively working toward meeting this benchmark score, you will ensure that you are well-equipped to tackle the concepts in the upcoming chapter.

Left arrow icon Right arrow icon

Key benefits

  • Enhance your understanding of each topic by practicing a set of exam-oriented questions
  • Revise concepts easily focusing on key aspects from CISA exam perspective, highlighted in each chapter
  • Accelerate your exam prep with additional study material including flashcards, practice questions, and exam tips

Description

With the latest updates and revised study material, this second edition of the Certified Information Systems Auditor Study Guide provides an excellent starting point for your CISA certification preparation. The book strengthens your grip on the core concepts through a three-step approach. First, it presents the fundamentals with easy-to-understand theoretical explanations. Next, it provides a list of key aspects that are crucial from the CISA exam perspective, ensuring you focus on important pointers for the exam. Finally, the book makes you an expert in specific topics by engaging you with self-assessment questions designed to align with the exam format, challenging you to apply your knowledge and sharpen your understanding. Moreover, the book comes with lifetime access to supplementary resources on an online platform, including CISA flashcards, practice questions, and valuable exam tips. With unlimited access to the website, you’ll have the flexibility to practice as many times as you desire, maximizing your exam readiness. By the end of this book, you’ll have developed the proficiency to successfully obtain the CISA certification and significantly upgrade your auditing career.

Who is this book for?

This CISA study guide is specifically tailored for anyone with a non-technical background who wants to achieve the CISA certification. It caters to those currently working in or looking to seek employment in IT audit and security management roles.

What you will learn

  • Perform an audit in accordance with globally accepted standards and frameworks
  • Recognize and recommend opportunities for improvement
  • Understand data analytics tools and processes
  • Comprehend the effectiveness of IT governance
  • Evaluate different type of frameworks
  • Manage audit reporting and communication
  • Evaluate evidence collection and forensics processes
Estimated delivery fee Deliver to Russia

Economy delivery 10 - 13 business days

$6.95

Premium delivery 6 - 9 business days

$21.95
(Includes tracking information)

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Jun 28, 2023
Length: 330 pages
Edition : 2nd
Language : English
ISBN-13 : 9781803248158
Category :

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
Estimated delivery fee Deliver to Russia

Economy delivery 10 - 13 business days

$6.95

Premium delivery 6 - 9 business days

$21.95
(Includes tracking information)

Product Details

Publication date : Jun 28, 2023
Length: 330 pages
Edition : 2nd
Language : English
ISBN-13 : 9781803248158
Category :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 164.97
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
$54.99
CISA – Certified Information Systems Auditor Study Guide
$59.99
Mastering Linux Security and Hardening
$49.99
Total $ 164.97 Stars icon

Table of Contents

13 Chapters
Chapter 1: Audit Planning Chevron down icon Chevron up icon
Chapter 2: Audit Execution Chevron down icon Chevron up icon
Chapter 3: IT Governance Chevron down icon Chevron up icon
Chapter 4: IT Management Chevron down icon Chevron up icon
Chapter 5: Information Systems Acquisition and Development Chevron down icon Chevron up icon
Chapter 6: Information Systems Implementation Chevron down icon Chevron up icon
Chapter 7: Information Systems Operations Chevron down icon Chevron up icon
Chapter 8: Business Resilience Chevron down icon Chevron up icon
Chapter 9: Information Asset Security and Control Chevron down icon Chevron up icon
Chapter 10: Network Security and Control Chevron down icon Chevron up icon
Chapter 11: Public Key Cryptography and Other Emerging Technologies Chevron down icon Chevron up icon
Chapter 12: Security Event Management Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.9
(98 Ratings)
5 star 90.8%
4 star 7.1%
3 star 2%
2 star 0%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




Hussam Feb 21, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Summarized and to the point.
Subscriber review Packt
Debashis Dey Feb 22, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Feefo Verified review Feefo
Hussam Alahmadi Dec 01, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I love the simplicity of the material and it's aim to be just to the point without unneeded elaboration, recommend book for CISA.
Feefo Verified review Feefo
Chris Akina Jul 25, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I already hold the CISSP and CISM certs but the CISA is a different game altogether. Thankfully, Hemang Doshi's CISA exam guide is a game-changer! His expertise makes complex auditing concepts accessible for all learners. The strategic organization and real-world examples ensure practical application. Clear writing and affordability make it a must-have for acing the CISA exam. Highly recommended!
Amazon Verified review Amazon
Turner Aug 10, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Great book! The layout is very easy to understand, and the content is written, presented in a straightforward manner. I especially liked the unlimited access to the online exam-prep platform that was included with this book. Practice helps!If I were to improve this book, I would be to add an overarching mapping by content to the 5 areas that the CISA exam is testing. For instance, there are 12 chapters in the book, so, perhaps a higher heading to show where each chapter falls (within the 5 groups (areas)?) Before I began studying this book, I spent a couple of minutes making sure that the chapter headings covered each of the topics that were associated with each section, and they did, so, I had no concerns!
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you live in Turkey, and the declared value of your ordered items is over € 22, for you to receive a package, you will have to pay additional import tax of 18% which will be € 3.96 to the courier service.
How can I cancel my order? Chevron down icon Chevron up icon

Cancellation Policy for Published Printed Books:

You can cancel any order within 1 hour of placing the order. Simply contact customercare@packt.com with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at customercare@packt.com using the returns and refund process.

Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.

What is your returns and refunds policy? Chevron down icon Chevron up icon

Return Policy:

We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on customercare@packt.com with the order number and issue details as explained below:

  1. If you ordered (eBook, Video or Print Book) incorrectly or accidentally, please contact Customer Relations Team on customercare@packt.com within one hour of placing the order and we will replace/refund you the item cost.
  2. Sadly, if your eBook or Video file is faulty or a fault occurs during the eBook or Video being made available to you, i.e. during download then you should contact Customer Relations Team within 14 days of purchase on customercare@packt.com who will be able to resolve this issue for you.
  3. You will have a choice of replacement or refund of the problem items.(damaged, defective or incorrect)
  4. Once Customer Care Team confirms that you will be refunded, you should receive the refund within 10 to 12 working days.
  5. If you are only requesting a refund of one book from a multiple order, then we will refund you the appropriate single item.
  6. Where the items were shipped under a free shipping offer, there will be no shipping costs to refund.

On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on customercare@packt.com within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.

What tax is charged? Chevron down icon Chevron up icon

Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.

What payment methods can I use? Chevron down icon Chevron up icon

You can pay with the following card types:

  1. Visa Debit
  2. Visa Credit
  3. MasterCard
  4. PayPal
What is the delivery time and cost of print books? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela