This Book Comes with Free Online Content
With this book, you get unlimited access to web-based CISA exam prep tools which include practice questions, flashcards, exam tips, and more.
Figure 2.1: CISA online practice resources dashboard
To unlock the content, you’ll need to create an account using your unique sign-up code provided with this book. Refer to the Instructions for Unlocking the Online Content section in the Preface on how to do that.
Accessing the Online Content
If you’ve already created your account using those instructions, visit packt.link/cisastudyguidewebsite or scan the following QR code to quickly open the website.
Figure 2.2: QR Code to access CISA online practice resources main page
Once there, click the Login
link in the top-right corner of the page to access the content using your credentials.
In this chapter, you will learn about audit execution processes such as project management techniques, sampling methodology, and audit evidence collection techniques. These topics are important because Information Systems (IS) auditors should be aware of the audit execution process.
The following topics will be covered in this chapter:
By the end of the chapter, you will have detailed knowledge of IS, business, and risk management processes that help protect the assets of an organization.
An audit includes various activities, such as audit planning, resource allocation, determining the audit scope and audit criteria, reviewing and evaluating audit evidence, forming audit conclusions, and reporting to management. All these activities are integral parts of an audit, and project management techniques are equally applicable to audit projects.
The following are the basic steps for managing and monitoring audit projects:
Figure 2.3: Basic steps for managing and monitoring audit projects
The activities mentioned in the preceding figure are all performed to achieve specific audit objectives. These are discussed in the next section.
Audit objectives are the expected outcomes of the audit activities. They refer to the intended goals that the audit must accomplish. Determining the audit objectives is a very important step in planning an audit. Generally, audits are conducted to achieve the following objectives:
An audit also provides reasonable assurance about the coverage of material items.
The audit process has three phases. The first phase is about planning, the second phase is about execution, and the third phase is about reporting. An IS auditor should be aware of the phases of an audit process shown in the following tables.
Phase |
Audit Steps |
Description |
Planning Phase |
Assess risk and determine audit area |
The first step is to conduct a risk assessment and identify the function, process, system, and physical location to be audited. |
Determine audit objective |
|
|
Determine the audit scope |
|
|
Conduct pre-audit planning |
|
|
Determine audit procedures |
|
|
Execution Phase |
Gather data |
|
Evaluate controls |
|
|
Validate and document the results |
|
|
Reporting Phase |
Draft report |
|
Issue report |
|
|
Follow up |
|
Table 2.1: Phases of an audit process
For the CISA exam, please note down the following steps for the audit process:
Figure 2.4: Steps followed in an audit
It should be noted that the steps should be followed in chronological sequence for the success of the audit project and to achieve the audit objectives.
The implementation of internal controls does not necessarily eliminate fraud. An IS auditor should be aware of the possibilities, circumstances, and opportunities that can lead to fraud and other irregularities. The IS auditor should observe and exercise due professional care to ensure that internal controls are appropriate, effective, and efficient to prevent or detect fraud, irregularities, and illegal acts.
In the case of suspicious activity, the IS auditor may communicate the need for a detailed investigation. In the case of a major fraud being identified, audit management should consider reporting it to the audit committee board.
The following table covers the important aspects from the CISA exam perspective:
CISA Questions |
Possible Answers |
What does an IS audit provide? |
Reasonable assurance about the coverage of material items |
What is the first step of an audit project? |
To develop an audit plan |
What is the major concern in the absence of established audit objectives? |
Not being able to determine key business risks |
What is the primary objective of performing a risk assessment prior to the audit? |
Allocating audit resources to areas of high risk |
What is the first step of the audit planning phase? |
Conducting risk assessments to determine the areas of high risk |
Table 2.2: Key aspects from the CISA exam perspective
Sampling is the process of selecting data from a population. By analyzing samples, characteristics of the entire population can be identified. Sampling is performed when it is not feasible to study the entire population due to time and cost constraints. Therefore, samples are a subset of the population.
This is a very important topic from a CISA exam perspective. Two or three questions can be expected from this topic. A CISA candidate should have an understanding of the following sampling techniques:
Sampling Types |
Description |
Statistical sampling |
This is an objective sampling technique. This is also known as non-judgmental sampling. It uses the laws of probability, where each unit has an equal chance of selection. In statistical sampling, the probability of error can be objectively quantified, and hence the detection risk can be reduced. |
Non-statistical sampling |
This is a subjective sampling technique. It’s also known as judgmental sampling. The auditor uses their experience and judgment to select the samples that are material and represent a higher risk. |
Attribute sampling |
Attribute sampling is the simplest kind of sampling based on certain attributes; it measures basic compliance. It answers the question, “How many?” It is expressed as a percentage—for example, “90% complied.” Attribute sampling is usually used in compliance testing. |
Variable sampling |
Variable sampling offers more information than attribute sampling. It answers the question, “How much?” It is expressed in monetary value, weight, height, or some other measurement—for example, “an average profit of $25,000.” Variable sampling is usually used in substantive testing. |
Stop-or-go sampling |
Stop-or-go sampling is used where controls are strong and very few errors are expected. It helps to prevent excess sampling by allowing the audit test to end at the earliest possible moment. |
Discovery sampling |
Discovery sampling is used when the objective is to detect fraud or other irregularities. If a single error is found, the entire sample is believed to be fraudulent/irregular. |
Table 2.3: Types of sampling and their descriptions
The following diagram will help you to understand the answers to specific CISA questions:
Figure 2.5: Different types of sampling
Also, remember the term AC-VS—Attribute Sampling for Compliance Testing and Variable Sampling for Substantive Testing.
Sampling risk refers to the risk that a sample is not a true representation of the population. The conclusion drawn by analyzing the sample may be different from the conclusion that would have been drawn by analyzing the entire population.
A CISA candidate should be aware of the following terms related to sampling.
A confidence coefficient, or confidence level, is a measure of the accuracy of and confidence in the quality of a sample. The sample size and confidence correlation are directly related. A high sample size will give a high confidence coefficient.
Look at the following example:
Population |
Sample Size |
Confidence Correlation |
100 |
95 |
95% |
50 |
50% |
|
25 |
25% |
Table 2.4: Example of confidence coefficient
In the case of poor internal controls, the auditor may want to verify 95 samples (sample size) out of a total population of 100. This gives a 95% confidence correlation.
In the case of strong internal controls, the auditor may be satisfied with only 25 samples out of the total population of 100. This gives a 25% confidence correlation.
The level of risk can be derived by deducting the confidence coefficient from 1. For example, if the confidence coefficient is 95%, then the level of risk is 5% (100%–95%).
This indicates the expected percentage of errors that may exist. When the expected error rate is high, the auditor should select a higher sample size.
This indicates the maximum error rate that can exist without the audit result being materially misstated.
The sample mean is the average of all collected samples. It is derived by adding all the samples and dividing the sum by the number of samples.
This indicates the variance of the sample value from the sample mean.
A CISA candidate should be able to differentiate between compliance testing and substantive testing. They should be able to determine which type of testing is to be performed under different scenarios.
The following table differentiates between compliance and substantive testing:
Compliance Testing |
Substantive Testing |
Compliance testing involves the verification of the controls of a process. |
Substantive testing involves the verification of data or transactions. |
Compliance testing checks for the presence of controls. |
Substantive testing checks for the completeness, accuracy, and validity of the data. |
In compliance testing, attribute sampling is preferred. |
In substantive testing, variable sampling is preferred. |
Table 2.5: Differences between compliance testing and substantive testing
Essentially, verifying whether a control is present or not is compliance testing. Meanwhile, verification of the complete process by testing the data/transaction to “substantiate” that the process is working is substantive testing.
The following examples will further help you understand the different use cases of compliance testing and substantive testing:
Compliance Testing |
Substantive Testing |
To check for controls in router configuration |
To count and confirm the physical inventory |
To check for controls in the change management process |
To confirm the validity of inventory valuation calculations |
Verification of system access rights |
To count and confirm cash balance |
Verification of firewall settings |
Examining the trial balance |
Reviewing compliance with the password policy |
Examining other financial statements |
Table 2.6: Differences between the use cases of compliance testing and substantive testing
A CISA candidate should understand the following points about the relationship between compliance testing and substantive testing:
Apart from the appropriate sampling technique, another important aspect of the audit process is using appropriate evidence-gathering techniques. Audit evidence should be collected properly to establish its reliability. Details on the reliability of audit evidence and collection techniques are covered in the next section.
The following table covers important aspects from the CISA exam perspective:
CISA Questions |
Possible Answers |
Which sampling technique should be used when the probability of error must be objectively quantified? |
Statistical sampling. |
How can sampling risk be mitigated? |
By using statistical sampling. |
Which sampling method is most useful when testing for compliance? |
Attribute sampling. |
In the case of a strong internal control, should the confidence coefficient/sample size be increased or lowered? |
The confidence coefficient/sampling size may be lowered. |
Which sampling method would best assist auditors when there are concerns of fraud? |
Discovery sampling. |
How can you differentiate between compliance testing and substantive testing? |
The objective of compliance testing is to test the presence of controls, whereas the objective of substantive testing is to test individual transactions. Take the example of asset inventory: Compliance testing verifies whether a control exists for inward/outward movement of the assets. Verifying the count of physical assets and comparing it with records is substantive testing. |
What are some examples of compliance testing? |
To verify the configuration of a router for controls. To verify the change management process to ensure controls are effective. Reviewing system access rights. Reviewing firewall settings. Reviewing compliance with a password policy. |
What are some examples of substantive testing? |
A physical inventory of the tapes at the location of offsite processing. Confirming the validity of the inventory valuation calculations. Conducting a bank confirmation to test cash balances. Examining the trial balance. Examining other financial statements. |
In what scenario can the substantive test procedure be reduced? |
The internal control is strong/the control risk is within acceptable limits. |
Table 2.7: Key aspects from the CISA exam perspective
Auditing is a process of providing an opinion (in the form of a written audit report) about the functions or processes under the scope of an audit. This audit opinion is based on the evidence obtained during the audit. Audit evidence is critical in the audit as audit opinions are based on reliability, competence, and objectivity. The objective and scope of an audit are the most significant factors when determining the extent of the data requirements.
An IS auditor should consider the sufficiency, competency, and reliability of the audit evidence. Evidence can be considered competent when it is valid and relevant. The following factors determine the reliability of audit evidence.
The source of the evidence determines the reliability of the evidence. External evidence (obtained from a source outside the organization) is more reliable than evidence obtained from within the organization. A signed agreement with external parties is considered more reliable.
The qualifications and experience of the evidence provider are major factors when determining the reliability of audit evidence. Information gathered from someone without relevant qualifications or experience may not be reliable.
Evidence based on judgment (involving subjectivity) is less reliable than objective evidence. Objective audit evidence does not have scope for different interpretations.
Audit evidence that is dynamic in nature (such as logs, files, and documents that are updated frequently) should be considered based on relevant timing.
The following figure highlights the evidence-related guidelines:
Figure 2.6: Evidence-related guidelines
The rules shown in the preceding figure are very important from a CISA exam perspective. An IS auditor should also be aware of the best practices and techniques to gather evidence. These are discussed in the next section.
The following techniques are used by IS auditors to gather evidence during the audit process:
Factors |
Descriptions |
Review the organization’s structure |
|
Review IS policies, processes, and standards |
|
Observations |
|
Interview technique |
|
Re-performance |
|
Process walk-through |
|
Table 2.8: Evidence-gathering factors and their descriptions
The evaluation of evidence is a subjective matter, and the auditor needs the relevant skills, experience, and qualifications to judge the relevance, sufficiency, and appropriateness of the audit evidence. In the case of inconclusive evidence, it is recommended to perform an additional test to confirm the accuracy of the audit findings.
Evidence should be evaluated based on the business environment and the complexity of the business processes. The following are some general guidelines for evidence evaluation:
Computer-Assisted Audit Techniques (CAATs) are the most effective auditing tools for computerized environments. The use of a CAAT ensures the reliability of audit evidence as data is directly collected, processed, and analyzed by the IS auditor.
The following table covers important aspects from the CISA exam perspective:
CISA Questions |
Possible Answers |
What does the extent of the data requirements for the audit depend on? |
The objective and scope of the audit. |
What should audit findings be supported by? |
Sufficient and appropriate audit evidence. |
What is the most important reason to obtain sufficient audit evidence? |
To provide a reasonable basis for drawing conclusions. |
What is the most effective tool for obtaining audit evidence through digital data? |
Computer-assisted auditing techniques. |
What is the most important advantage of using CAATs for gathering audit evidence? |
CAATs provide assurance about the reliability of the evidence collected. |
What type of evidence is considered most reliable? |
Evidence directly collected from the source by an IS auditor is considered to be the most reliable. The source of evidence should be independent. |
What is the primary reason for a functional walk-through? |
To understand the business process. |
Table 2.9: Key aspects from the CISA exam perspective
Data Analytics (DA) is the method of examining data or information. It helps you to understand the data by transforming raw data into usable and meaningful information.
The following are some examples of the use of DA:
CAATs are extremely useful to IS auditors for gathering and analyzing large and complex data during an IS audit. CAATs help an IS auditor collect evidence from different hardware, software environments, and data formats.
The following table presents a breakdown of the functions of CAAT tools:
CAAT Tools |
Functions |
General Audit Software |
This is a standard type of software that is used to read and access data directly from various database platforms. |
Utility and Scanning Software |
This helps in generating reports of the database management system. It scans all the vulnerabilities in the system. |
Debugging |
This helps in identifying and removing errors from computer hardware or software. |
Test Data |
This is used to test processing logic, computations, and controls programmed in computer applications. |
Table 2.10: Breakdown of CAAT functions
A CAAT helps an IS auditor collect information independently. Information obtained through CAATs is considered more reliable.
The following are some examples of use cases for CAAT tools:
An auditor should be aware of the following precautions when using CAAT tools:
A CISA candidate should understand the difference between continuous auditing and continuous monitoring:
Continuous Auditing |
Continuous Monitoring |
In continuous auditing, an audit is conducted in a real-time or near-real-time environment. In continuous auditing, the gap between operations and an audit is much shorter than under a traditional audit approach. |
In continuous monitoring, the relevant process of a system is observed on a continuous basis. |
For example, high payouts are audited immediately after a payment is made. |
For example, antivirus or IDSs may continuously monitor a system or a network for abnormalities. |
Table 2.11: Differences between continuous auditing and continuous monitoring
Continuous auditing and continuous monitoring are mutually exclusive. Continuous assurance can be ensured if both continuous monitoring and continuous auditing are in place. Generally, the results of continuous auditing are the precursor for the introduction of a continuous monitoring process.
For IS audits, continuous audit techniques are extremely important tools. The following are the five widely used continuous audit tools.
The following are the features of an Integrated Test Facility (ITF).
In an ITF, a fictitious entity is created in the production environment:
The following are the features of a System Control Audit Review File (SCARF):
The following are the features of the snapshot technique:
The following are the features of an audit hook:
The following are the features of Continuous and Intermittent Simulation (CIS):
The following table summarizes the features of continuous audit tools:
Audit Tool |
Usage |
SCARF/EAM |
This is useful when regular processing cannot be interrupted. |
Snapshots |
Pictures or snapshots are used when an audit trail is required. |
Audit hooks |
When early detection of fraud or error is required. |
ITF |
Test data is used in a production environment |
CIS |
CIS is useful for the identification of transactions as per predefined criteria in a complex environment. |
Table 2.12: Types of continuous audit tools and their features
An IS auditor should be aware of the methods and procedures through which analysis and findings are reported to the audit committee and senior management. The effective reporting of audit findings and communicating the findings to all the stakeholders are very important parts of audit execution; these are covered in more detail in the next section.
The following table covers important aspects from the CISA exam perspective:
CISA Questions |
Possible Answers |
What is the first step of conducting data analytics? |
The first step will be determining the objective and scope of analytics. |
Which is the most effective online audit technique when an audit trail is required? |
The snapshot technique. |
What is the advantage of an Integrated Test Facility (ITF)? |
Setting up a separate test environment/test process is not required. An ITF helps validate the accuracy of the system processing. |
Which is the most effective online audit technique when the objective is to identify transactions as per predefined criteria? |
CIS is most useful to identify transactions as per predefined criteria in a complex environment. |
Table 2.13: Key aspects from the CISA exam perspective
Audit reporting and following up for closure are the last steps of the audit process. The effectiveness of an audit largely depends on how the audit results are communicated and how follow-up is done for the closure of recommendations. Effective verbal and written communication skills are key attributes of a good auditor. A CISA candidate is expected to have a thorough understanding of the elements of an exit interview, audit report objectives, the process and structure, and follow-up activities.
Auditing is not about finding errors. It is about adding value to the existing processes of an organization.
A formal exit interview is essential before the audit report is released. The following are the objectives of an exit interview:
The exit meeting ensures that facts are not misunderstood or misinterpreted. Exit meetings help to align the audit team and auditee management on the findings that are presented, discussed, and agreed upon.
A CISA candidate should note the following best practices with respect to audit reporting:
The following are the six objectives of audit reporting:
An audit report includes the following content:
Now you will see a rundown of the main objectives of follow-up activities.
The main objective of follow-up activities is to validate whether management has implemented the recommendations. An IS auditor needs to determine whether management has acted on corrective actions to close the audit findings. It is essential to have a structured process to determine that corrective actions have been implemented.
Follow-up activities should be taken on the basis of the timeline agreed on by auditee management for the closure of audit findings. The status of compliance should be placed at the appropriate level of management.
Although audit follow-ups are primarily applicable to internal audit functions, external audit firms may be required to do the follow-up if it is included in the letter of engagement.
The following table covers important aspects from the CISA exam perspective:
CISA Questions |
Possible Answers |
What is the objective of an audit closure meeting? |
To ensure that there have been no misunderstandings or misinterpretations of the facts |
What is the objective of conducting a follow-up audit? |
To validate remediation action |
What is the best way to schedule a follow-up audit? |
On the basis of the due date agreed upon by auditee management |
Table 2.14: Key aspects from the CISA exam perspective
Control Self-Assessment (CSA), as the name suggests, is the self-assessment of controls by process owners. For CSA, the employee understands the business process and evaluates the various risks and controls. CSA is a process whereby the process owner gains a realistic view of their own performance.
CSA ensures the involvement of the user group in a periodic and proactive review of risk and control.
The following are the objectives of implementing a CSA program:
The following are the benefits of implementing a CSA program:
Due care should be taken when implementing the CSA function. It should not be considered a replacement for the audit function. An audit is an independent function and should not be waived even if CSA is being implemented. CSA and an audit are different functions, and one cannot replace the other.
The IS auditor’s role is to act as a facilitator for the implementation of CSA. It is the IS auditor’s responsibility to guide the process owners in assessing the risk and control of their environment. The IS auditor should provide insight into the objectives of CSA.
An audit is an independent function and should not be waived even if CSA is being implemented. Both CSA and an audit are different functions and one cannot replace the other.
The following table covers important aspects from the CISA exam perspective:
CISA Questions |
Possible Answers |
What is the primary objective of implementing CSA? |
To monitor and control high-risk areas To enhance audit responsibilities |
What is the role of the auditor in the implementation of CSA? |
To act as a facilitator for the CSA program |
What is the most significant requirement for a successful CSA? |
Involvement of line management |
Table 2.15: Key aspects from the CISA exam perspective
In this chapter, you explored various aspects of audit project management and learned about different sampling techniques. You also explored different audit evidence collection techniques, reporting techniques, and practical aspects of CSA.
The following are some of the important topics that were covered in this chapter:
In the next chapter, you will explore the enterprise governance of IT and related frameworks.
Before you proceed to Chapter 3, IT Governance, it is recommended that you solve the practice questions from this chapter first. These chapter review questions have been carefully crafted to reinforce the knowledge you have gained throughout this chapter. By engaging with these questions, you will solidify your understanding of key topics, identify areas that require further study, and build your confidence before moving on to new concepts in the next chapter.
Note
A few of the questions may not be directly related to the topics in the chapter. They aim to test your general understanding of information systems concepts instead.
The following image shows an example of the practice questions interface.
Figure 2.7: CISA practice questions interface
To access the end-of-chapter questions from this chapter, follow these steps:
Figure 2.8: Chapter summary and login
You can also scan the following QR code to access the website:
Figure 2.9: QR code to access Chapter 2 questions
After a successful login, you will see the following screen:
Figure 2.10: Chapter summary and end-of-chapter question sets
Figure 2.11: Practice questions interface with timer
When the timer runs out, the quiz will submit automatically. Attempt each quiz multiple times till you are able to answer all questions not just correctly, but within the time limit as well
Chapter Benchmark Score
Before moving on to the next chapter, it is recommended that you score an average of 75% on the end-of-chapter practice quizzes. By actively working toward meeting this benchmark score, you will ensure that you are well-equipped to tackle the concepts in the upcoming chapter.
Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.
If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.
Please Note: Packt eBooks are non-returnable and non-refundable.
Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:
If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:
Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.
You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.
Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.
When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.
For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.