You're reading from CISA – Certified Information Systems Auditor Study Guide - Second Edition

Product typeBook

Published inJun 2023

PublisherPackt

ISBN-139781803248158

Edition2nd Edition

Concepts

Information Security

Author (1)

Hemang Doshi

Audit Evidence Collection Techniques

Auditing is a process of providing an opinion (in the form of a written audit report) about the functions or processes under the scope of an audit. This audit opinion is based on the evidence obtained during the audit. Audit evidence is critical in the audit as audit opinions are based on reliability, competence, and objectivity. The objective and scope of an audit are the most significant factors when determining the extent of the data requirements.

Reliability of Evidence

An IS auditor should consider the sufficiency, competency, and reliability of the audit evidence. Evidence can be considered competent when it is valid and relevant. The following factors determine the reliability of audit evidence.

Independence of the Evidence Provider

The source of the evidence determines the reliability of the evidence. External evidence (obtained from a source outside the organization) is more reliable than evidence obtained from within the organization. A signed agreement with external parties is considered more reliable.

Qualifications of the Evidence Provider

The qualifications and experience of the evidence provider are major factors when determining the reliability of audit evidence. Information gathered from someone without relevant qualifications or experience may not be reliable.

Objectivity of the Evidence

Evidence based on judgment (involving subjectivity) is less reliable than objective evidence. Objective audit evidence does not have scope for different interpretations.

Timing of the Evidence

Audit evidence that is dynamic in nature (such as logs, files, and documents that are updated frequently) should be considered based on relevant timing.

The following figure highlights the evidence-related guidelines:

Figure 2.6: Evidence-related guidelines

The rules shown in the preceding figure are very important from a CISA exam perspective. An IS auditor should also be aware of the best practices and techniques to gather evidence. These are discussed in the next section.

Evidence-Gathering Techniques

The following techniques are used by IS auditors to gather evidence during the audit process:

Factors	Descriptions
Review the organization’s structure	The IS auditor should review the organization’s structure and governance model. This will help the auditor determine the control environment of the enterprise.
Review IS policies, processes, and standards	The audit team should review the IS policies, procedures, and standards and determine the effectiveness of the controls implemented. The audit team should also determine whether IS policies and procedures are reviewed periodically and approved by a competent authority.
Observations	The IS auditor should observe the process to determine the following: The skill and experience of the staff The security awareness of the staff The existence of segregation of duties (SoD)
Interview technique	The IS auditor should have the skill and competency to conduct interviews tactfully. Interview questions should be designed in advance to ensure that all topics are covered. To the greatest extent possible, interview questions should be open-ended to gain insight into the process. The staff being interviewed should be made comfortable and encouraged to share information and areas of concern.
Re-performance	In re-performance, the IS auditor performs the activity that is originally performed by the staff of the organization. Re-performance provides better evidence than other techniques. It should be used when other methods do not provide sufficient assurance about control effectiveness.
Process walk-through	A process walk-through is done by the auditor to confirm the understanding of the policies and processes.

Table 2.8: Evidence-gathering factors and their descriptions

The evaluation of evidence is a subjective matter, and the auditor needs the relevant skills, experience, and qualifications to judge the relevance, sufficiency, and appropriateness of the audit evidence. In the case of inconclusive evidence, it is recommended to perform an additional test to confirm the accuracy of the audit findings.

Evidence should be evaluated based on the business environment and the complexity of the business processes. The following are some general guidelines for evidence evaluation:

In the case of unavailability of evidence, the auditor should report the relevant risk in the audit report.
Evidence obtained from a relevant third party is considered more reliable compared to internal evidence. An audit report by a qualified auditor is considered more reliable than a confirmation letter received from a third party.
Evidence collected by the audit team directly from the source is considered more reliable compared to evidence provided by business units.

Computer-Assisted Audit Techniques (CAATs) are the most effective auditing tools for computerized environments. The use of a CAAT ensures the reliability of audit evidence as data is directly collected, processed, and analyzed by the IS auditor.

Key Aspects from the CISA Exam Perspective

The following table covers important aspects from the CISA exam perspective:

CISA Questions	Possible Answers
What does the extent of the data requirements for the audit depend on?	The objective and scope of the audit.
What should audit findings be supported by?	Sufficient and appropriate audit evidence.
What is the most important reason to obtain sufficient audit evidence?	To provide a reasonable basis for drawing conclusions.
What is the most effective tool for obtaining audit evidence through digital data?	Computer-assisted auditing techniques.
What is the most important advantage of using CAATs for gathering audit evidence?	CAATs provide assurance about the reliability of the evidence collected.
What type of evidence is considered most reliable?	Evidence directly collected from the source by an IS auditor is considered to be the most reliable. The source of evidence should be independent.
What is the primary reason for a functional walk-through?	To understand the business process.

Table 2.9: Key aspects from the CISA exam perspective

You have been reading a chapter from

CISA – Certified Information Systems Auditor Study Guide - Second Edition

Published in: Jun 2023Publisher: PacktISBN-13: 9781803248158

A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.

undefined

Unlock this book and the full library FREE for 7 days

Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of

Start free trial

Renews at €14.99/month. Cancel anytime

Author (1)

Hemang Doshi

Hemang Doshi has more than 15 years of experience in the field of system audit, IT risk and compliance, internal audit, risk management, information security audit, third-party risk management, and operational risk management. He has authored several books for certification such as CISA, CRISC, CISM, DISA, and enterprise risk management.
Read more about Hemang Doshi

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages