This Book Comes with Free Online Content

With this book, you get unlimited access to web-based CISA exam prep tools which include practice questions, flashcards, exam tips, and more.

Figure 2.1: CISA online practice resources dashboard

To unlock the content, you’ll need to create an account using your unique sign-up code provided with this book. Refer to the Instructions for Unlocking the Online Content section in the Preface on how to do that.

Accessing the Online Content

If you’ve already created your account using those instructions, visit packt.link/cisastudyguidewebsite or scan the following QR code to quickly open the website.

Figure 2.2: QR Code to access CISA online practice resources main page

Once there, click the Login link in the top-right corner of the page to access the content using your credentials.

In this chapter, you will learn about audit execution processes such as project management techniques, sampling methodology, and audit evidence collection techniques. These topics are important because Information Systems (IS) auditors should be aware of the audit execution process.

The following topics will be covered in this chapter:

• Audit project management
• Sampling methodology
• Audit evidence collection techniques
• Data analytics
• Reporting and communication techniques
• Control self-assessment

By the end of the chapter, you will have detailed knowledge of IS, business, and risk management processes that help protect the assets of an organization.

An audit includes various activities, such as audit planning, resource allocation, determining the audit scope and audit criteria, reviewing and evaluating audit evidence, forming audit conclusions, and reporting to management. All these activities are integral parts of an audit, and project management techniques are equally applicable to audit projects.

The following are the basic steps for managing and monitoring audit projects:

Figure 2.3: Basic steps for managing and monitoring audit projects

The activities mentioned in the preceding figure are all performed to achieve specific audit objectives. These are discussed in the next section.

Audit Objectives

Audit objectives are the expected outcomes of the audit activities. They refer to the intended goals that the audit must accomplish. Determining the audit objectives is a very important step in planning an audit. Generally, audits are conducted to achieve the following objectives:

• To confirm that internal control exists
• To evaluate the effectiveness of internal controls
• To confirm compliance with statutory and regulatory requirements

An audit also provides reasonable assurance about the coverage of material items.

Audit Phases

The audit process has three phases. The first phase is about planning, the second phase is about execution, and the third phase is about reporting. An IS auditor should be aware of the phases of an audit process shown in the following tables.

Table 2.1: Phases of an audit process

For the CISA exam, please note down the following steps for the audit process:

Figure 2.4: Steps followed in an audit

It should be noted that the steps should be followed in chronological sequence for the success of the audit project and to achieve the audit objectives.

Fraud, Irregularities, and Illegal Acts

The implementation of internal controls does not necessarily eliminate fraud. An IS auditor should be aware of the possibilities, circumstances, and opportunities that can lead to fraud and other irregularities. The IS auditor should observe and exercise due professional care to ensure that internal controls are appropriate, effective, and efficient to prevent or detect fraud, irregularities, and illegal acts.

In the case of suspicious activity, the IS auditor may communicate the need for a detailed investigation. In the case of a major fraud being identified, audit management should consider reporting it to the audit committee board.

Key Aspects from the CISA Exam Perspective

The following table covers the important aspects from the CISA exam perspective:

Table 2.2: Key aspects from the CISA exam perspective

Sampling is the process of selecting data from a population. By analyzing samples, characteristics of the entire population can be identified. Sampling is performed when it is not feasible to study the entire population due to time and cost constraints. Therefore, samples are a subset of the population.

Sampling Types

This is a very important topic from a CISA exam perspective. Two or three questions can be expected from this topic. A CISA candidate should have an understanding of the following sampling techniques:

Table 2.3: Types of sampling and their descriptions

The following diagram will help you to understand the answers to specific CISA questions:

Figure 2.5: Different types of sampling

Also, remember the term AC-VS—Attribute Sampling for Compliance Testing and Variable Sampling for Substantive Testing.

Sampling Risk

Sampling risk refers to the risk that a sample is not a true representation of the population. The conclusion drawn by analyzing the sample may be different from the conclusion that would have been drawn by analyzing the entire population.

Other Sampling Terms

A CISA candidate should be aware of the following terms related to sampling.

The Confidence Coefficient

A confidence coefficient, or confidence level, is a measure of the accuracy of and confidence in the quality of a sample. The sample size and confidence correlation are directly related. A high sample size will give a high confidence coefficient.

Look at the following example:

Table 2.4: Example of confidence coefficient

In the case of poor internal controls, the auditor may want to verify 95 samples (sample size) out of a total population of 100. This gives a 95% confidence correlation.

In the case of strong internal controls, the auditor may be satisfied with only 25 samples out of the total population of 100. This gives a 25% confidence correlation.

Level of Risk

The level of risk can be derived by deducting the confidence coefficient from 1. For example, if the confidence coefficient is 95%, then the level of risk is 5% (100%–95%).

Expected Error Rate

This indicates the expected percentage of errors that may exist. When the expected error rate is high, the auditor should select a higher sample size.

Tolerable Error Rate

This indicates the maximum error rate that can exist without the audit result being materially misstated.

Sample Mean

The sample mean is the average of all collected samples. It is derived by adding all the samples and dividing the sum by the number of samples.

Sample Standard Deviation

This indicates the variance of the sample value from the sample mean.

Compliance versus Substantive Testing

A CISA candidate should be able to differentiate between compliance testing and substantive testing. They should be able to determine which type of testing is to be performed under different scenarios.

The Differences between Compliance Testing and Substantive Testing

The following table differentiates between compliance and substantive testing:

Table 2.5: Differences between compliance testing and substantive testing

Essentially, verifying whether a control is present or not is compliance testing. Meanwhile, verification of the complete process by testing the data/transaction to “substantiate” that the process is working is substantive testing.

Examples of Compliance Testing and Substantive Testing

The following examples will further help you understand the different use cases of compliance testing and substantive testing:

Table 2.6: Differences between the use cases of compliance testing and substantive testing

The Relationship between Compliance Testing and Substantive Testing

A CISA candidate should understand the following points about the relationship between compliance testing and substantive testing:

• Ideally, compliance testing should be performed first and should be followed by substantive testing.
• The outcome of compliance testing is used to plan for a substantive test. If the outcome of compliance testing indicates the existence of effective internal controls, then substantive testing may not be required or may be reduced. However, if the outcome of compliance testing indicates a poor internal control system, more rigorous substantive testing is required. Thus, the design of substantive tests is often dependent on the result of compliance testing.
• The attribute sampling technique (which indicates that a control is either present or absent) is useful for compliance testing, whereas variable sampling will be useful for substantive testing.

Apart from the appropriate sampling technique, another important aspect of the audit process is using appropriate evidence-gathering techniques. Audit evidence should be collected properly to establish its reliability. Details on the reliability of audit evidence and collection techniques are covered in the next section.

Key Aspects from the CISA Exam Perspective

The following table covers important aspects from the CISA exam perspective:

Table 2.7: Key aspects from the CISA exam perspective

Auditing is a process of providing an opinion (in the form of a written audit report) about the functions or processes under the scope of an audit. This audit opinion is based on the evidence obtained during the audit. Audit evidence is critical in the audit as audit opinions are based on reliability, competence, and objectivity. The objective and scope of an audit are the most significant factors when determining the extent of the data requirements.

Reliability of Evidence

An IS auditor should consider the sufficiency, competency, and reliability of the audit evidence. Evidence can be considered competent when it is valid and relevant. The following factors determine the reliability of audit evidence.

Independence of the Evidence Provider

The source of the evidence determines the reliability of the evidence. External evidence (obtained from a source outside the organization) is more reliable than evidence obtained from within the organization. A signed agreement with external parties is considered more reliable.

Qualifications of the Evidence Provider

The qualifications and experience of the evidence provider are major factors when determining the reliability of audit evidence. Information gathered from someone without relevant qualifications or experience may not be reliable.

Objectivity of the Evidence

Evidence based on judgment (involving subjectivity) is less reliable than objective evidence. Objective audit evidence does not have scope for different interpretations.

Timing of the Evidence

Audit evidence that is dynamic in nature (such as logs, files, and documents that are updated frequently) should be considered based on relevant timing.

The following figure highlights the evidence-related guidelines:

Figure 2.6: Evidence-related guidelines

The rules shown in the preceding figure are very important from a CISA exam perspective. An IS auditor should also be aware of the best practices and techniques to gather evidence. These are discussed in the next section.

Evidence-Gathering Techniques

The following techniques are used by IS auditors to gather evidence during the audit process:

Table 2.8: Evidence-gathering factors and their descriptions

The evaluation of evidence is a subjective matter, and the auditor needs the relevant skills, experience, and qualifications to judge the relevance, sufficiency, and appropriateness of the audit evidence. In the case of inconclusive evidence, it is recommended to perform an additional test to confirm the accuracy of the audit findings.

Evidence should be evaluated based on the business environment and the complexity of the business processes. The following are some general guidelines for evidence evaluation:

• In the case of unavailability of evidence, the auditor should report the relevant risk in the audit report.
• Evidence obtained from a relevant third party is considered more reliable compared to internal evidence. An audit report by a qualified auditor is considered more reliable than a confirmation letter received from a third party.
• Evidence collected by the audit team directly from the source is considered more reliable compared to evidence provided by business units.

Computer-Assisted Audit Techniques (CAATs) are the most effective auditing tools for computerized environments. The use of a CAAT ensures the reliability of audit evidence as data is directly collected, processed, and analyzed by the IS auditor.

Key Aspects from the CISA Exam Perspective

The following table covers important aspects from the CISA exam perspective:

Table 2.9: Key aspects from the CISA exam perspective

Data Analytics (DA) is the method of examining data or information. It helps you to understand the data by transforming raw data into usable and meaningful information.

Examples of the Effective Use of Data Analytics

The following are some examples of the use of DA:

• To determine whether a user is authorized by combining logical access files with the human resource employee database
• To determine whether events are authorized by combining the file library settings with change management system data and the date of file changes
• To identify tailgating by combining input with output records
• To review system configuration settings
• To review logs for unauthorized access

CAATs

CAATs are extremely useful to IS auditors for gathering and analyzing large and complex data during an IS audit. CAATs help an IS auditor collect evidence from different hardware, software environments, and data formats.

The following table presents a breakdown of the functions of CAAT tools:

Table 2.10: Breakdown of CAAT functions

A CAAT helps an IS auditor collect information independently. Information obtained through CAATs is considered more reliable.

Examples of the Effective Use of CAAT Tools

The following are some examples of use cases for CAAT tools:

• To determine the accuracy of transactions and balances
• For detailed analysis
• To ascertain compliance with IS general controls
• To ascertain compliance with IS application controls
• To assess network and operating system controls
• For vulnerability and penetration testing
• For the security scanning of source code and AppSec testing

Precautions while Using CAAT

An auditor should be aware of the following precautions when using CAAT tools:

• Ensure the integrity of imported data by safeguarding its authenticity, integrity, and confidentiality
• Obtain approval for installing the CAAT software on the auditee servers
• Obtain only read-only access when using CAATs on production data
• Edits/modifications should be applied to duplicate data and the integrity of the original data should be ensured

Continuous Auditing and Monitoring

A CISA candidate should understand the difference between continuous auditing and continuous monitoring:

Table 2.11: Differences between continuous auditing and continuous monitoring

Continuous auditing and continuous monitoring are mutually exclusive. Continuous assurance can be ensured if both continuous monitoring and continuous auditing are in place. Generally, the results of continuous auditing are the precursor for the introduction of a continuous monitoring process.

Continuous Auditing Techniques

For IS audits, continuous audit techniques are extremely important tools. The following are the five widely used continuous audit tools.

Integrated Test Facility

The following are the features of an Integrated Test Facility (ITF).

In an ITF, a fictitious entity is created in the production environment:

• The auditor may enter test or dummy transactions and check the processing and results of these transactions for correctness.
• Processed results and expected results are evaluated to check the proper functioning of systems.
• For example, with the ITF technique, a test transaction is entered. The processing results of the test transaction are compared with the expected results to determine the accuracy of processing. If the processed results match the expected results, then it determines that the processing is correct. Once the verification is complete, test data is deleted from the system.

System Control Audit Review File

The following are the features of a System Control Audit Review File (SCARF):

• In this technique, an audit module is embedded (inbuilt) into the organization’s host application to track transactions on an ongoing basis.
• A SCARF is used to obtain data or information for audit purposes.
• SCARFs record transactions above a specified limit or deviation-/exception-related transactions. These transactions are then reviewed by the auditor.
• SCARFs are useful when regular processing cannot be interrupted.

Snapshot Technique

The following are the features of the snapshot technique:

• This technique captures snapshots or pictures of the transaction as it is processed at different stages in the system.
• Details are captured both before and after the execution of the transaction. The correctness of the transaction is verified by validating the before-processing and after-processing snapshots of the transactions.
• Snapshots are useful when an audit trail is required.
• The IS auditor should consider the following significant factors when working with this technique:
  • At what location snapshots are captured
  • At what time snapshots are captured
  • How the reporting of snapshot data is done

Audit Hook

The following are the features of an audit hook:

• Audit hooks are embedded in the application system to capture exceptions.
• The auditor can set different criteria to capture exceptions or suspicious transactions.
• For example, with the close monitoring of cash transactions, the auditor can set criteria to capture cash transactions exceeding $10,000. All these transactions are then reviewed by the auditor to identify fraud, if any.
• Audit hooks are helpful in the early identification of irregularities, such as fraud or error.
• Audit hooks are generally applied when only selected transactions need to be evaluated.

Continuous and Intermittent Simulation

The following are the features of Continuous and Intermittent Simulation (CIS):

• CIS replicates or simulates the processing of the application system.
• In this technique, a simulator identifies transactions as per the predefined parameters. Identified transactions are then audited for further verification and review.
• CIS compares its own results with the results produced by application systems. If any discrepancies are noted, it is written to the exception log file.
• CIS is useful to identify the transactions as per the predefined criteria in a complex environment.

The following table summarizes the features of continuous audit tools:

Table 2.12: Types of continuous audit tools and their features

An IS auditor should be aware of the methods and procedures through which analysis and findings are reported to the audit committee and senior management. The effective reporting of audit findings and communicating the findings to all the stakeholders are very important parts of audit execution; these are covered in more detail in the next section.

Key Aspects from the CISA Exam Perspective

The following table covers important aspects from the CISA exam perspective:

Table 2.13: Key aspects from the CISA exam perspective

Audit reporting and following up for closure are the last steps of the audit process. The effectiveness of an audit largely depends on how the audit results are communicated and how follow-up is done for the closure of recommendations. Effective verbal and written communication skills are key attributes of a good auditor. A CISA candidate is expected to have a thorough understanding of the elements of an exit interview, audit report objectives, the process and structure, and follow-up activities.

Exit Interview

Auditing is not about finding errors. It is about adding value to the existing processes of an organization.

A formal exit interview is essential before the audit report is released. The following are the objectives of an exit interview:

• To ensure that the facts are appropriately and correctly presented in the report
• To discuss recommendations with auditee management
• To discuss an implementation date

The exit meeting ensures that facts are not misunderstood or misinterpreted. Exit meetings help to align the audit team and auditee management on the findings that are presented, discussed, and agreed upon.

Audit Reporting

A CISA candidate should note the following best practices with respect to audit reporting:

• The IS auditor is ultimately responsible for senior management and the final audit report should be sent to the Audit Committee of the Board (ACB). If the IS auditor has no access to the top officials and the audit committee, it will impact the auditor’s independence.
• Before the report is placed with the ACB, the IS auditor should discuss with auditee management to determine the accuracy of the audit observations and to understand the correction plan.
• Sometimes, auditee management may not agree with the audit findings and recommendations. In such cases, IS auditors should emphasize the significance of the audit findings and the risk of not taking any corrective action.
• If there is any control weakness that is not within the scope of the audit, it should be reported to management during the audit process. This should not be overlooked. Generally, accepted audit procedures require audit results to be reported even if the auditee takes corrective action prior to reporting.
• To support the audit results, the IS auditor should have clear and accurate audit facts.

Audit Report Objectives

The following are the six objectives of audit reporting:

• The presentation of audit findings/results to all the stakeholders (that is, the auditees).
• The audit report serves as a formal closure for the audit committee.
• The audit report provides assurance to the organization. It identifies the areas that require corrective action and associated suggestions.
• The audit report serves as a reference for any party researching the auditee or audit topic.
• It helps in follow-ups of audit findings presented in the audit reports for closure.
• A well-defined audit report promotes audit credibility. This depends on the report being well developed and well written.

Audit Report Structure

An audit report includes the following content:

• An introduction to the report, which includes the scope of the audit, the limitations of the audit, a statement of the audit objective, the audit period, and so on
• Audit findings and recommendations
• Opinion about the adequacy, effectiveness, and efficiency of the control environment

Now you will see a rundown of the main objectives of follow-up activities.

Follow-Up Activities

The main objective of follow-up activities is to validate whether management has implemented the recommendations. An IS auditor needs to determine whether management has acted on corrective actions to close the audit findings. It is essential to have a structured process to determine that corrective actions have been implemented.

Follow-up activities should be taken on the basis of the timeline agreed on by auditee management for the closure of audit findings. The status of compliance should be placed at the appropriate level of management.

Although audit follow-ups are primarily applicable to internal audit functions, external audit firms may be required to do the follow-up if it is included in the letter of engagement.

Key Aspects from the CISA Exam Perspective

The following table covers important aspects from the CISA exam perspective:

Table 2.14: Key aspects from the CISA exam perspective

Control Self-Assessment (CSA), as the name suggests, is the self-assessment of controls by process owners. For CSA, the employee understands the business process and evaluates the various risks and controls. CSA is a process whereby the process owner gains a realistic view of their own performance.

CSA ensures the involvement of the user group in a periodic and proactive review of risk and control.

Objectives of CSA

The following are the objectives of implementing a CSA program:

• Make functional staff responsible for control monitoring
• Enhance audit responsibilities (not to replace the audit’s responsibilities)
• Concentrate on critical processes and areas of high risk

Benefits of CSA

The following are the benefits of implementing a CSA program:

• It allows risk detection at an early stage of the process and reduces control costs.
• It helps in ensuring effective and stronger internal controls, which improves the audit rating process.
• It helps the process owner take responsibility for control monitoring.
• It helps in increasing employee awareness of organizational goals. It also helps in understanding the risk and internal controls.
• It improves communication between senior officials and operational staff.
• It improves the motivational level of the employees.
• It provides assurance to all the stakeholders and customers.
• It provides assurance to top management about the adequacy, effectiveness, and efficiency of the control requirements.

Precautions while Implementing CSA

Due care should be taken when implementing the CSA function. It should not be considered a replacement for the audit function. An audit is an independent function and should not be waived even if CSA is being implemented. CSA and an audit are different functions, and one cannot replace the other.

An IS Auditor’s Role in CSA

The IS auditor’s role is to act as a facilitator for the implementation of CSA. It is the IS auditor’s responsibility to guide the process owners in assessing the risk and control of their environment. The IS auditor should provide insight into the objectives of CSA.

An audit is an independent function and should not be waived even if CSA is being implemented. Both CSA and an audit are different functions and one cannot replace the other.

Key Aspects from the CISA Exam Perspective

The following table covers important aspects from the CISA exam perspective:

Table 2.15: Key aspects from the CISA exam perspective

In this chapter, you explored various aspects of audit project management and learned about different sampling techniques. You also explored different audit evidence collection techniques, reporting techniques, and practical aspects of CSA.

The following are some of the important topics that were covered in this chapter:

• The initial step in designing an audit plan is to determine the audit universe for the organization. The audit universe is the list of all the processes and systems under the scope of the audit. Once the audit universe is identified, a risk assessment is to be conducted to identify the critical processes and systems.
• Statistical sampling is the preferred mode of sampling when the probability of error must be objectively quantified.
• It is advisable to report the finding even if corrective action is taken by the auditee. For any action taken on the basis of audit observation, the audit report should identify the finding and describe the corrective action taken.
• The objective of CSA is to involve functional staff to monitor high-risk processes. CSA aims to educate line management in the area of control responsibility and monitoring. The replacement of audit functions is not the objective of CSA.

In the next chapter, you will explore the enterprise governance of IT and related frameworks.

Before you proceed to Chapter 3, IT Governance, it is recommended that you solve the practice questions from this chapter first. These chapter review questions have been carefully crafted to reinforce the knowledge you have gained throughout this chapter. By engaging with these questions, you will solidify your understanding of key topics, identify areas that require further study, and build your confidence before moving on to new concepts in the next chapter.

Note

A few of the questions may not be directly related to the topics in the chapter. They aim to test your general understanding of information systems concepts instead.

The following image shows an example of the practice questions interface.

Figure 2.7: CISA practice questions interface

To access the end-of-chapter questions from this chapter, follow these steps:

1. Open your web browser and go to https://packt.link/WYjVC. You will see the following screen:

Figure 2.8: Chapter summary and login

You can also scan the following QR code to access the website:

Figure 2.9: QR code to access Chapter 2 questions

2. Log in to your account using your credentials. If you haven’t activated your account yet, refer to Instructions for Unlocking the Online Content in the Preface for detailed instructions.

After a successful login, you will see the following screen:

Figure 2.10: Chapter summary and end-of-chapter question sets

3. Click on any of the given sets to begin your practice quiz. The quiz sets are timed as you can see from the following image:

Figure 2.11: Practice questions interface with timer

When the timer runs out, the quiz will submit automatically. Attempt each quiz multiple times till you are able to answer all questions not just correctly, but within the time limit as well

Chapter Benchmark Score

Before moving on to the next chapter, it is recommended that you score an average of 75% on the end-of-chapter practice quizzes. By actively working toward meeting this benchmark score, you will ensure that you are well-equipped to tackle the concepts in the upcoming chapter.