This Book Comes with Free Online Content

With this book, you get unlimited access to web-based CISA exam prep tools which include practice questions, flashcards, exam tips, and more.

Figure 1.1: CISA online practice resources dashboard

To unlock the content, you’ll need to create an account using your unique sign-up code provided with this book. Refer to the Instructions for Unlocking the Online Content section in the Preface on how to do that.

Accessing the Online Content

If you’ve already created your account using those instructions, visit packt.link/cisastudyguidewebsite or scan the following QR code to quickly open the website.

Figure 1.2: QR Code to access CISA online practice resources main page

Once there, click the Login link in the top-right corner of the page to access the content using your credentials.

An Information Systems (IS) audit examines the management controls in...

An internal audit is an independent activity and should ideally be reported to a board-level committee. In most organizations, the internal audit function reports to the audit committee of the board. This helps to protect the independence of the audit function. Audit reporting may be biased in the absence of an independent audit function.

The independence of the audit function is further ensured through a management-approved audit charter.

The following figure shows the features of an audit charter:

Figure 1.3: Features of an audit charter

The CISA candidate should note the following features of the audit charter:

• An audit charter is a formal document defining the internal audit’s objective, authority, and responsibility. The audit charter covers the entire scope of audit activities. An audit charter must be approved by senior management.
• An audit charter should not be changed too often as it defines...

CISA aspirants should understand the following important terms before reading about the different aspects of audit planning:

• Audit universe: An inventory of all the functions/processes/units under the organization.
• Qualitative risk assessment: In a qualitative risk assessment, risk is assessed using qualitative parameters such as high, medium, and low.
• Quantitative risk assessment: In a quantitative risk assessment, risk is assessed using numerical parameters and is quantified; for example, for a 50% chance of failure, the amount at risk is 1000 $.
• Risk factors: Factors that have an impact on risk. The presence of such factors increases the risk, whereas their absence decreases the risk.

All the preceding elements are important prerequisites for the design of a structured audit plan. Next, you will explore the benefits of a structured and well-designed audit plan.

Benefits of Audit Planning

Audit planning is the initial stage of the audit...

Working knowledge of the business environment and business objectives is required to plan a risk-based audit. The IS auditor should have a sufficient understanding of the overall architecture and the technical specifications of the various applications used by the organization and the risks associated with them.

In understanding the issues and current risks facing the business, the IS auditor should focus on areas that are most meaningful to management. To effectively audit business application systems, an IS auditor is required to gain a thorough understanding of the system under the scope of the audit.

The following are some of the widely used applications in business processes. The CISA candidate should be aware of the risks associated with each of them.

E-Commerce

Start with understanding how e-commerce works:

• Single-tier architecture runs on a single computer, that is, a client-based application.
• Two-tier architecture...

An internal control is a process used to safeguard the assets of an organization. Assets can include systems, data, people, hardware, or the reputation of the organization. Internal controls help in achieving the objectives of the organization by mitigating various risks.

Internal controls are implemented through policies, procedures, practices, and organizational structures to address risks. Internal controls provide reasonable assurance to management about the achievement of business objectives. Through internal controls, risk events are prevented or detected and corrected.

Top management is responsible for implementing a culture that supports efficient and effective internal control processes.

Effective controls in an organization can be categorized into preventive, detective, deterrent, and corrective as shown in the following figure:

Figure 1.5: Types of effective controls in an organization

You will now explore these control...

CISA aspirants are expected to understand the following aspects of risk-based audit planning:

• What is risk?
• Vulnerabilities and threats
• Inherent risk and residual risk
• The advantages of risk-based audit planning
• Audit risk
• The steps of the risk-based audit approach
• The steps of risk assessment
• The four methodologies for risk treatment

What Is Risk?

You will now explore some of the widely accepted definitions of risk.

Most of the CISA questions are framed around risk. Therefore, CISA candidates should have a thorough understanding of the term risk, which has multiple definitions/formulas. If you look carefully, every definition speaks either directly or indirectly about two terms: probability and impact.

Some of the more commonly used definitions of risk are presented here:

• COSO ERM defines risk as “potential events that may impact the entity.”
• The Oxford English Dictionary defines...

CISA candidates are expected to have a basic understanding of the various types of audits that can be performed, internally or externally, and the basic audit procedures associated with each of them. These are as follows:

Chapter Review Questions

Before you move on to Chapter 2, Audit Execution, it is recommended that you solve the practice questions from this chapter first. These chapter review questions have been carefully crafted to reinforce the knowledge you have gained throughout this chapter. By engaging with these questions, you will solidify your understanding of key topics, identify areas that require further study, and build your confidence before moving on to new concepts in the next chapter.

Note

A few of the questions may not be directly related to the topics in the chapter. They aim to test your general understanding of information systems concepts instead.

The following image shows an example of the practice questions interface.

Figure 1.9: CISA practice questions interface

To access the end-of-chapter questions from this chapter, follow these steps:

1. Open your web browser and go to https://packt.link/dkrqI. You will see the following screen...

The rest of the chapter is locked

You have been reading a chapter from

CISA – Certified Information Systems Auditor Study Guide - Second Edition

Published in: Jun 2023Publisher: PacktISBN-13: 9781803248158

© 2023 Packt Publishing Limited All Rights Reserved

Author (1)

Hemang Doshi

Hemang Doshi has more than 15 years of experience in the field of system audit, IT risk and compliance, internal audit, risk management, information security audit, third-party risk management, and operational risk management. He has authored several books for certification such as CISA, CRISC, CISM, DISA, and enterprise risk management.
Read more about Hemang Doshi

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages