You're reading from CISA – Certified Information Systems Auditor Study Guide Aligned with the CISA Review Manual 2024 with over 1000 practice questions to ace the exam

Product type Paperback

Published in Oct 2024

Publisher Packt

ISBN-13 9781835882863

Length 356 pages

Edition 3rd Edition

Concepts

Information Security

Author (1):

Hemang Doshi

View More author details

Table of Contents (15) Chapters

Preface

1. Chapter 1: Audit Planning

2. Chapter 2: Audit Execution FREE CHAPTER

3. Chapter 3: IT Governance

4. Chapter 4: IT Management

5. Chapter 5: Information Systems Acquisition and Development

6. Chapter 6: Information Systems Implementation

7. Chapter 7: Information Systems Operations

8. Chapter 8: Business Resilience

9. Chapter 9: Information Asset Security and Control

10. Chapter 10: Network Security and Control

11. Chapter 11: Public Key Cryptography and Other Emerging Technologies

12. Chapter 12: Security Event Management

13. Chapter 13: Accessing the Online Practice Resources

14. Other Books You May Enjoy

Audit Evidence Collection Techniques

Auditing is a process of providing an opinion (in the form of a written audit report) about the functions or processes under the scope of an audit. This audit opinion is based on the evidence obtained during the audit. Audit evidence is critical in the audit as audit opinions are based on reliability, competence, and objectivity. The objective and scope of an audit are the most significant factors when determining the data requirements.

Reliability of Evidence

An IS auditor should consider the sufficiency, competency, and reliability of the audit evidence. Evidence can be considered competent when it is valid and relevant. The following factors determine the reliability of audit evidence.

Independence of the Evidence Provider

The source of the evidence determines the reliability of the evidence. External evidence (obtained from a source outside the organization) is more reliable than evidence obtained from within the organization. A signed agreement with external parties is considered more reliable than an oral agreement.

Qualifications of the Evidence Provider

The qualifications and experience of the evidence provider are major factors when determining the reliability of audit evidence. Information gathered from someone without the relevant qualifications or experience may not be reliable.

Objectivity of the Evidence

Evidence based on judgment (involving subjectivity) is less reliable than objective evidence. Objective audit evidence does not have the scope for different interpretations.

Timing of the Evidence

Audit evidence that is dynamic in nature (such as logs, files, and documents that are updated frequently) should be considered based on the relevant timing.

Figure 2.1 highlights the evidence-related guidelines:

Figure 2.1: Evidence-related guidelines

The guidelines discussed for the reliability of evidence are very important from a CISA exam perspective. An IS auditor should also be aware of the best practices and techniques to gather evidence. These are discussed in the next section.

Evidence-Gathering Techniques

The following techniques are used by IS auditors to gather evidence during the audit process:

Factors	Descriptions
Review the organization’s structure	The IS auditor should review the organization’s structure and governance model. This will help the auditor determine the control environment of the enterprise.
Review IS policies, processes, and standards	The audit team should review the IS policies, procedures, and standards and determine the effectiveness of the controls implemented. The audit team should also determine whether IS policies and procedures are reviewed periodically and approved by a competent authority.
Observations	The IS auditor should observe the processes being audited to determine the following: The skill and experience of the staff The security awareness of the staff The existence of segregation of duties (SoD)
Interview technique	The IS auditor should have the skill and competency to conduct interviews tactfully. Interview questions should be designed in advance to ensure that all topics are covered. To the greatest extent possible, interview questions should be open-ended to gain insight into the process. The staff being interviewed should be made comfortable and encouraged to share information and areas of concern.
Re-performance	In re-performance, the IS auditor performs the activity that was originally performed by the staff of the organization. Re-performance provides better evidence than other techniques. It should be used when other methods do not provide sufficient assurance about control effectiveness.
Process walk-through	A process walk-through is done by the auditor to confirm the understanding of the policies and processes. In a process walk-through, each step of the process being audited is observed, with discussion around how the process is executed, who is responsible for the process, and how all tasks are performed.

Table 2.8: Evidence-gathering factors and their descriptions

The evaluation of evidence is a subjective matter, and the auditor needs the relevant skills, experience, and qualifications to judge the relevance, sufficiency, and appropriateness of the audit evidence. In the case of inconclusive evidence, it is recommended to perform an additional test to confirm the accuracy of the audit findings.

Evidence should be evaluated based on the business environment and the complexity of the business processes. The following are some general guidelines for evidence evaluation:

In the case of unavailability of evidence, the auditor should report the relevant risk in the audit report.
Evidence obtained from a relevant third party is considered more reliable compared to internal evidence. An audit report by a qualified auditor is considered more reliable than a confirmation letter received from a third party.
Evidence collected by the audit team directly from the source is considered more reliable compared to evidence provided by business units.
Computer-assisted audit techniques (CAATs) are the most effective auditing tools for computerized environments. The use of a CAAT ensures the reliability of audit evidence as data is directly collected, processed, and analyzed by the IS auditor.

Fraud, Irregularities, and Illegal Acts

While evaluating the evidence, it must be noted that the implementation of internal controls does not necessarily eliminate fraud. An IS auditor should be aware of the possibilities, circumstances, and opportunities that can lead to fraud and other irregularities. The IS auditor should observe and exercise due professional care to ensure that internal controls are appropriate, effective, and efficient to prevent or detect fraud, irregularities, and illegal acts.

In the case of suspicious activity, the IS auditor may communicate the need for a detailed investigation. In the case of a major fraud being identified, audit management should consider reporting it to the audit committee board.

Key Aspects for the CISA Exam

The following table covers important aspects from the CISA exam perspective:

Questions	Possible Answers
What does the extent of the data requirements for the audit depend on?	The objective and scope of the audit
What should audit findings be supported by?	Sufficient and appropriate audit evidence
What is the most important reason to obtain sufficient audit evidence?	To provide a reasonable basis for drawing conclusions
What is the most effective tool for obtaining audit evidence through digital data?	Computer-assisted auditing techniques
What is the most important advantage of using CAATs for gathering audit evidence?	CAATs provide assurance about the reliability of the evidence collected
What type of evidence is considered most reliable?	Evidence directly collected from the source by an IS auditor is considered to be the most reliable. The source of evidence should be independent.
What is the primary reason for a functional walk-through?	To understand the business process

Table 2.9: Key aspects for the CISA exam

Gathering reliable audit evidence is important for forming an auditor’s opinion. Traditional methods can be slow and might miss important details, which can impact audit results. Data analytics (DA) changes this by allowing auditors to quickly analyze large amounts of data, improving accuracy and uncovering insights. It helps auditors find risks and unusual patterns more effectively. In the next section, we’ll explore how data analytics enhances modern auditing and makes it more efficient.