You're reading from CISA – Certified Information Systems Auditor Study Guide Aligned with the CISA Review Manual 2024 with over 1000 practice questions to ace the exam

Product type Paperback

Published in Oct 2024

Publisher Packt

ISBN-13 9781835882863

Length 356 pages

Edition 3rd Edition

Concepts

Information Security

Author (1):

Hemang Doshi

View More author details

Table of Contents (15) Chapters

Preface

1. Chapter 1: Audit Planning

2. Chapter 2: Audit Execution FREE CHAPTER

3. Chapter 3: IT Governance

4. Chapter 4: IT Management

5. Chapter 5: Information Systems Acquisition and Development

6. Chapter 6: Information Systems Implementation

7. Chapter 7: Information Systems Operations

8. Chapter 8: Business Resilience

9. Chapter 9: Information Asset Security and Control

10. Chapter 10: Network Security and Control

11. Chapter 11: Public Key Cryptography and Other Emerging Technologies

12. Chapter 12: Security Event Management

13. Chapter 13: Accessing the Online Practice Resources

14. Other Books You May Enjoy

Audit Project Management

An audit includes various activities, such as audit planning, resource allocation, determining the audit scope and audit criteria, reviewing and evaluating audit evidence, forming audit conclusions, and reporting to management. All these activities are integral parts of an audit, and project management techniques are equally applicable to audit projects.

Audit Objectives

Audit objectives are the expected outcomes of the audit activities. They refer to the intended goals that the audit must accomplish. Determining the audit objectives is a very important step in planning an audit. Generally, audits are conducted to achieve the following objectives:

To confirm that internal control exists
To evaluate the effectiveness of internal controls
To confirm compliance with statutory and regulatory requirements

An audit also provides reasonable assurance about the coverage of material items.

Audit Phases

The audit management project process has three phases. The first phase is planning, the second phase is execution, and the third phase is reporting. An IS auditor should be aware of the steps involved in the phases of an audit management process, as shown in the following table:

Phase	Audit Steps	Description
Planning	Assess risk and determine audit areas	The first step is to conduct a risk assessment and identify the function, process, system, and physical location to be audited
	Determine audit objective	The primary goal during the planning stage of an IS audit is to address the audit objectives The audit objective (i.e., the audit purpose) is also to be determined An audit may be conducted for regulatory or contractual requirements
	Determine the audit scope	The next step is to identify and determine the scope of the audit The scope may be restricted to a few applications or a few processes only Defining the scope will help the auditor determine the resources required for conducting the audit
	Conduct pre-audit planning	Pre-audit planning includes understanding the business environment and the relevant regulations It includes conducting risk assessments to determine areas of high risk It also includes determining resource requirements and audit timings
	Determine audit procedures	The audit program is designed on the basis of pre-audit information, which includes resource allocation and audit procedures to be followed During this step, audit tools and audit methodology are developed to test and verify the controls
Execution	Gather data	The next step is to gather relevant data and documents for conducting the audit
	Evaluate controls	Once the required information, data, and documents are available, the auditor is required to evaluate the controls to verify their effectiveness and efficiency
	Validate and document the results	Audit observations should be validated and documented along with the relevant evidence
Reporting	Draft report	A draft report should be issued to obtain comments from management on the audit observations Before issuance of the final report, the draft report should be discussed with management
	Issue report	The final report should contain audit findings, recommendations, comments, and the expected date of closure of the audit findings
	Follow up	A follow-up should be done to determine whether the audit findings are closed and a follow-up report should be issued

Table 2.1: Phases of an audit process

It should be noted that the steps should be followed in chronological sequence for the success of the audit project and to achieve the audit objectives.

Key Aspects for the CISA Exam

The following table covers the important aspects from the CISA exam perspective:

Questions	Possible Answers
What does an IS audit provide?	Reasonable assurance about the coverage of material items
What is the first step of an audit project?	To develop an audit plan
What is the major concern in the absence of established audit objectives?	Not being able to determine key business risks
What is the primary objective of performing a risk assessment prior to the audit?	Allocating audit resources to areas of high risk
What is the first step of the audit planning phase?	Conducting risk assessments to determine the areas of high risk
What is an important consideration when planning the scope and objectives of an IS audit?	Applicable statutory requirements

Table 2.2: Key aspects for the CISA exam

Audit sampling is an important element of audit project management and selecting an appropriate sampling methodology is critical for gathering the relevant data and drawing accurate conclusions. The next section discusses sampling methodologies.