Audit Execution
This Book Comes with Free Online Content
With this book, you get unlimited access to web-based CISA exam prep tools which include practice questions, flashcards, exam tips, and more.
Figure 2.1: CISA online practice resources dashboard
To unlock the content, you’ll need to create an account using your unique sign-up code provided with this book. Refer to the Instructions for Unlocking the Online Content section in the Preface on how to do that.
Accessing the Online Content
If you’ve already created your account using those instructions, visit packt.link/cisastudyguidewebsite or scan the following QR code to quickly open the website.
Figure 2.2: QR Code to access CISA online practice resources main page
Once there, click the Login link in the top-right corner of the page to access the content using your credentials.
In this chapter, you will learn about audit execution processes such as project management techniques, sampling methodology, and audit evidence collection techniques. These topics are important because Information Systems (IS) auditors should be aware of the audit execution process.
The following topics will be covered in this chapter:
- Audit project management
- Sampling methodology
- Audit evidence collection techniques
- Data analytics
- Reporting and communication techniques
- Control self-assessment
By the end of the chapter, you will have detailed knowledge of IS, business, and risk management processes that help protect the assets of an organization.
Audit Project Management
An audit includes various activities, such as audit planning, resource allocation, determining the audit scope and audit criteria, reviewing and evaluating audit evidence, forming audit conclusions, and reporting to management. All these activities are integral parts of an audit, and project management techniques are equally applicable to audit projects.
The following are the basic steps for managing and monitoring audit projects:
Figure 2.3: Basic steps for managing and monitoring audit projects
The activities mentioned in the preceding figure are all performed to achieve specific audit objectives. These are discussed in the next section.
Audit Objectives
Audit objectives are the expected outcomes of the audit activities. They refer to the intended goals that the audit must accomplish. Determining the audit objectives is a very important step in planning an audit. Generally, audits are conducted to achieve the following objectives:
- To confirm that internal control exists
- To evaluate the effectiveness of internal controls
- To confirm compliance with statutory and regulatory requirements
An audit also provides reasonable assurance about the coverage of material items.
Audit Phases
The audit process has three phases. The first phase is about planning, the second phase is about execution, and the third phase is about reporting. An IS auditor should be aware of the phases of an audit process shown in the following tables.
|
Phase |
Audit Steps |
Description |
|
Planning Phase |
Assess risk and determine audit area |
The first step is to conduct a risk assessment and identify the function, process, system, and physical location to be audited. |
|
Determine audit objective |
|
|
|
Determine the audit scope |
|
|
|
Conduct pre-audit planning |
|
|
|
Determine audit procedures |
|
|
|
Execution Phase |
Gather data |
|
|
Evaluate controls |
|
|
|
Validate and document the results |
|
|
|
Reporting Phase |
Draft report |
|
|
Issue report |
|
|
|
Follow up |
|
Table 2.1: Phases of an audit process
For the CISA exam, please note down the following steps for the audit process:
Figure 2.4: Steps followed in an audit
It should be noted that the steps should be followed in chronological sequence for the success of the audit project and to achieve the audit objectives.
Fraud, Irregularities, and Illegal Acts
The implementation of internal controls does not necessarily eliminate fraud. An IS auditor should be aware of the possibilities, circumstances, and opportunities that can lead to fraud and other irregularities. The IS auditor should observe and exercise due professional care to ensure that internal controls are appropriate, effective, and efficient to prevent or detect fraud, irregularities, and illegal acts.
In the case of suspicious activity, the IS auditor may communicate the need for a detailed investigation. In the case of a major fraud being identified, audit management should consider reporting it to the audit committee board.
Key Aspects from the CISA Exam Perspective
The following table covers the important aspects from the CISA exam perspective:
|
CISA Questions |
Possible Answers |
|
What does an IS audit provide? |
Reasonable assurance about the coverage of material items |
|
What is the first step of an audit project? |
To develop an audit plan |
|
What is the major concern in the absence of established audit objectives? |
Not being able to determine key business risks |
|
What is the primary objective of performing a risk assessment prior to the audit? |
Allocating audit resources to areas of high risk |
|
What is the first step of the audit planning phase? |
Conducting risk assessments to determine the areas of high risk |
Table 2.2: Key aspects from the CISA exam perspective
Sampling Methodology
Sampling is the process of selecting data from a population. By analyzing samples, characteristics of the entire population can be identified. Sampling is performed when it is not feasible to study the entire population due to time and cost constraints. Therefore, samples are a subset of the population.
Sampling Types
This is a very important topic from a CISA exam perspective. Two or three questions can be expected from this topic. A CISA candidate should have an understanding of the following sampling techniques:
|
Sampling Types |
Description |
|
Statistical sampling |
This is an objective sampling technique. This is also known as non-judgmental sampling. It uses the laws of probability, where each unit has an equal chance of selection. In statistical sampling, the probability of error can be objectively quantified, and hence the detection risk can be reduced. |
|
Non-statistical sampling |
This is a subjective sampling technique. It’s also known as judgmental sampling. The auditor uses their experience and judgment to select the samples that are material and represent a higher risk. |
|
Attribute sampling |
Attribute sampling is the simplest kind of sampling based on certain attributes; it measures basic compliance. It answers the question, “How many?” It is expressed as a percentage—for example, “90% complied.” Attribute sampling is usually used in compliance testing. |
|
Variable sampling |
Variable sampling offers more information than attribute sampling. It answers the question, “How much?” It is expressed in monetary value, weight, height, or some other measurement—for example, “an average profit of $25,000.” Variable sampling is usually used in substantive testing. |
|
Stop-or-go sampling |
Stop-or-go sampling is used where controls are strong and very few errors are expected. It helps to prevent excess sampling by allowing the audit test to end at the earliest possible moment. |
|
Discovery sampling |
Discovery sampling is used when the objective is to detect fraud or other irregularities. If a single error is found, the entire sample is believed to be fraudulent/irregular. |
Table 2.3: Types of sampling and their descriptions
The following diagram will help you to understand the answers to specific CISA questions:
Figure 2.5: Different types of sampling
Also, remember the term AC-VS—Attribute Sampling for Compliance Testing and Variable Sampling for Substantive Testing.
Sampling Risk
Sampling risk refers to the risk that a sample is not a true representation of the population. The conclusion drawn by analyzing the sample may be different from the conclusion that would have been drawn by analyzing the entire population.
Other Sampling Terms
A CISA candidate should be aware of the following terms related to sampling.
The Confidence Coefficient
A confidence coefficient, or confidence level, is a measure of the accuracy of and confidence in the quality of a sample. The sample size and confidence correlation are directly related. A high sample size will give a high confidence coefficient.
Look at the following example:
|
Population |
Sample Size |
Confidence Correlation |
|
100 |
95 |
95% |
|
50 |
50% |
|
|
25 |
25% |
Table 2.4: Example of confidence coefficient
In the case of poor internal controls, the auditor may want to verify 95 samples (sample size) out of a total population of 100. This gives a 95% confidence correlation.
In the case of strong internal controls, the auditor may be satisfied with only 25 samples out of the total population of 100. This gives a 25% confidence correlation.
Level of Risk
The level of risk can be derived by deducting the confidence coefficient from 1. For example, if the confidence coefficient is 95%, then the level of risk is 5% (100%–95%).
Expected Error Rate
This indicates the expected percentage of errors that may exist. When the expected error rate is high, the auditor should select a higher sample size.
Tolerable Error Rate
This indicates the maximum error rate that can exist without the audit result being materially misstated.
Sample Mean
The sample mean is the average of all collected samples. It is derived by adding all the samples and dividing the sum by the number of samples.
Sample Standard Deviation
This indicates the variance of the sample value from the sample mean.
Compliance versus Substantive Testing
A CISA candidate should be able to differentiate between compliance testing and substantive testing. They should be able to determine which type of testing is to be performed under different scenarios.
The Differences between Compliance Testing and Substantive Testing
The following table differentiates between compliance and substantive testing:
|
Compliance Testing |
Substantive Testing |
|
Compliance testing involves the verification of the controls of a process. |
Substantive testing involves the verification of data or transactions. |
|
Compliance testing checks for the presence of controls. |
Substantive testing checks for the completeness, accuracy, and validity of the data. |
|
In compliance testing, attribute sampling is preferred. |
In substantive testing, variable sampling is preferred. |
Table 2.5: Differences between compliance testing and substantive testing
Essentially, verifying whether a control is present or not is compliance testing. Meanwhile, verification of the complete process by testing the data/transaction to “substantiate” that the process is working is substantive testing.
Examples of Compliance Testing and Substantive Testing
The following examples will further help you understand the different use cases of compliance testing and substantive testing:
|
Compliance Testing |
Substantive Testing |
|
To check for controls in router configuration |
To count and confirm the physical inventory |
|
To check for controls in the change management process |
To confirm the validity of inventory valuation calculations |
|
Verification of system access rights |
To count and confirm cash balance |
|
Verification of firewall settings |
Examining the trial balance |
|
Reviewing compliance with the password policy |
Examining other financial statements |
Table 2.6: Differences between the use cases of compliance testing and substantive testing
The Relationship between Compliance Testing and Substantive Testing
A CISA candidate should understand the following points about the relationship between compliance testing and substantive testing:
- Ideally, compliance testing should be performed first and should be followed by substantive testing.
- The outcome of compliance testing is used to plan for a substantive test. If the outcome of compliance testing indicates the existence of effective internal controls, then substantive testing may not be required or may be reduced. However, if the outcome of compliance testing indicates a poor internal control system, more rigorous substantive testing is required. Thus, the design of substantive tests is often dependent on the result of compliance testing.
- The attribute sampling technique (which indicates that a control is either present or absent) is useful for compliance testing, whereas variable sampling will be useful for substantive testing.
Apart from the appropriate sampling technique, another important aspect of the audit process is using appropriate evidence-gathering techniques. Audit evidence should be collected properly to establish its reliability. Details on the reliability of audit evidence and collection techniques are covered in the next section.
Key Aspects from the CISA Exam Perspective
The following table covers important aspects from the CISA exam perspective:
|
CISA Questions |
Possible Answers |
|
Which sampling technique should be used when the probability of error must be objectively quantified? |
Statistical sampling. |
|
How can sampling risk be mitigated? |
By using statistical sampling. |
|
Which sampling method is most useful when testing for compliance? |
Attribute sampling. |
|
In the case of a strong internal control, should the confidence coefficient/sample size be increased or lowered? |
The confidence coefficient/sampling size may be lowered. |
|
Which sampling method would best assist auditors when there are concerns of fraud? |
Discovery sampling. |
|
How can you differentiate between compliance testing and substantive testing? |
The objective of compliance testing is to test the presence of controls, whereas the objective of substantive testing is to test individual transactions. Take the example of asset inventory: Compliance testing verifies whether a control exists for inward/outward movement of the assets. Verifying the count of physical assets and comparing it with records is substantive testing. |
|
What are some examples of compliance testing? |
To verify the configuration of a router for controls. To verify the change management process to ensure controls are effective. Reviewing system access rights. Reviewing firewall settings. Reviewing compliance with a password policy. |
|
What are some examples of substantive testing? |
A physical inventory of the tapes at the location of offsite processing. Confirming the validity of the inventory valuation calculations. Conducting a bank confirmation to test cash balances. Examining the trial balance. Examining other financial statements. |
|
In what scenario can the substantive test procedure be reduced? |
The internal control is strong/the control risk is within acceptable limits. |
Table 2.7: Key aspects from the CISA exam perspective
Audit Evidence Collection Techniques
Auditing is a process of providing an opinion (in the form of a written audit report) about the functions or processes under the scope of an audit. This audit opinion is based on the evidence obtained during the audit. Audit evidence is critical in the audit as audit opinions are based on reliability, competence, and objectivity. The objective and scope of an audit are the most significant factors when determining the extent of the data requirements.
Reliability of Evidence
An IS auditor should consider the sufficiency, competency, and reliability of the audit evidence. Evidence can be considered competent when it is valid and relevant. The following factors determine the reliability of audit evidence.
Independence of the Evidence Provider
The source of the evidence determines the reliability of the evidence. External evidence (obtained from a source outside the organization) is more reliable than evidence obtained from within the organization. A signed agreement with external parties is considered more reliable.
Qualifications of the Evidence Provider
The qualifications and experience of the evidence provider are major factors when determining the reliability of audit evidence. Information gathered from someone without relevant qualifications or experience may not be reliable.
Objectivity of the Evidence
Evidence based on judgment (involving subjectivity) is less reliable than objective evidence. Objective audit evidence does not have scope for different interpretations.
Timing of the Evidence
Audit evidence that is dynamic in nature (such as logs, files, and documents that are updated frequently) should be considered based on relevant timing.
The following figure highlights the evidence-related guidelines:
Figure 2.6: Evidence-related guidelines
The rules shown in the preceding figure are very important from a CISA exam perspective. An IS auditor should also be aware of the best practices and techniques to gather evidence. These are discussed in the next section.
Evidence-Gathering Techniques
The following techniques are used by IS auditors to gather evidence during the audit process:
|
Factors |
Descriptions |
|
Review the organization’s structure |
|
|
Review IS policies, processes, and standards |
|
|
Observations |
|
|
Interview technique |
|
|
Re-performance |
|
|
Process walk-through |
|
Table 2.8: Evidence-gathering factors and their descriptions
The evaluation of evidence is a subjective matter, and the auditor needs the relevant skills, experience, and qualifications to judge the relevance, sufficiency, and appropriateness of the audit evidence. In the case of inconclusive evidence, it is recommended to perform an additional test to confirm the accuracy of the audit findings.
Evidence should be evaluated based on the business environment and the complexity of the business processes. The following are some general guidelines for evidence evaluation:
- In the case of unavailability of evidence, the auditor should report the relevant risk in the audit report.
- Evidence obtained from a relevant third party is considered more reliable compared to internal evidence. An audit report by a qualified auditor is considered more reliable than a confirmation letter received from a third party.
- Evidence collected by the audit team directly from the source is considered more reliable compared to evidence provided by business units.
Computer-Assisted Audit Techniques (CAATs) are the most effective auditing tools for computerized environments. The use of a CAAT ensures the reliability of audit evidence as data is directly collected, processed, and analyzed by the IS auditor.
Key Aspects from the CISA Exam Perspective
The following table covers important aspects from the CISA exam perspective:
|
CISA Questions |
Possible Answers |
|
What does the extent of the data requirements for the audit depend on? |
The objective and scope of the audit. |
|
What should audit findings be supported by? |
Sufficient and appropriate audit evidence. |
|
What is the most important reason to obtain sufficient audit evidence? |
To provide a reasonable basis for drawing conclusions. |
|
What is the most effective tool for obtaining audit evidence through digital data? |
Computer-assisted auditing techniques. |
|
What is the most important advantage of using CAATs for gathering audit evidence? |
CAATs provide assurance about the reliability of the evidence collected. |
|
What type of evidence is considered most reliable? |
Evidence directly collected from the source by an IS auditor is considered to be the most reliable. The source of evidence should be independent. |
|
What is the primary reason for a functional walk-through? |
To understand the business process. |
Table 2.9: Key aspects from the CISA exam perspective
Data Analytics
Data Analytics (DA) is the method of examining data or information. It helps you to understand the data by transforming raw data into usable and meaningful information.
Examples of the Effective Use of Data Analytics
The following are some examples of the use of DA:
- To determine whether a user is authorized by combining logical access files with the human resource employee database
- To determine whether events are authorized by combining the file library settings with change management system data and the date of file changes
- To identify tailgating by combining input with output records
- To review system configuration settings
- To review logs for unauthorized access
CAATs
CAATs are extremely useful to IS auditors for gathering and analyzing large and complex data during an IS audit. CAATs help an IS auditor collect evidence from different hardware, software environments, and data formats.
The following table presents a breakdown of the functions of CAAT tools:
|
CAAT Tools |
Functions |
|
General Audit Software |
This is a standard type of software that is used to read and access data directly from various database platforms. |
|
Utility and Scanning Software |
This helps in generating reports of the database management system. It scans all the vulnerabilities in the system. |
|
Debugging |
This helps in identifying and removing errors from computer hardware or software. |
|
Test Data |
This is used to test processing logic, computations, and controls programmed in computer applications. |
Table 2.10: Breakdown of CAAT functions
A CAAT helps an IS auditor collect information independently. Information obtained through CAATs is considered more reliable.
Examples of the Effective Use of CAAT Tools
The following are some examples of use cases for CAAT tools:
- To determine the accuracy of transactions and balances
- For detailed analysis
- To ascertain compliance with IS general controls
- To ascertain compliance with IS application controls
- To assess network and operating system controls
- For vulnerability and penetration testing
- For the security scanning of source code and AppSec testing
Precautions while Using CAAT
An auditor should be aware of the following precautions when using CAAT tools:
- Ensure the integrity of imported data by safeguarding its authenticity, integrity, and confidentiality
- Obtain approval for installing the CAAT software on the auditee servers
- Obtain only read-only access when using CAATs on production data
- Edits/modifications should be applied to duplicate data and the integrity of the original data should be ensured
Continuous Auditing and Monitoring
A CISA candidate should understand the difference between continuous auditing and continuous monitoring:
|
Continuous Auditing |
Continuous Monitoring |
|
In continuous auditing, an audit is conducted in a real-time or near-real-time environment. In continuous auditing, the gap between operations and an audit is much shorter than under a traditional audit approach. |
In continuous monitoring, the relevant process of a system is observed on a continuous basis. |
|
For example, high payouts are audited immediately after a payment is made. |
For example, antivirus or IDSs may continuously monitor a system or a network for abnormalities. |
Table 2.11: Differences between continuous auditing and continuous monitoring
Continuous auditing and continuous monitoring are mutually exclusive. Continuous assurance can be ensured if both continuous monitoring and continuous auditing are in place. Generally, the results of continuous auditing are the precursor for the introduction of a continuous monitoring process.
Continuous Auditing Techniques
For IS audits, continuous audit techniques are extremely important tools. The following are the five widely used continuous audit tools.
Integrated Test Facility
The following are the features of an Integrated Test Facility (ITF).
In an ITF, a fictitious entity is created in the production environment:
- The auditor may enter test or dummy transactions and check the processing and results of these transactions for correctness.
- Processed results and expected results are evaluated to check the proper functioning of systems.
- For example, with the ITF technique, a test transaction is entered. The processing results of the test transaction are compared with the expected results to determine the accuracy of processing. If the processed results match the expected results, then it determines that the processing is correct. Once the verification is complete, test data is deleted from the system.
System Control Audit Review File
The following are the features of a System Control Audit Review File (SCARF):
- In this technique, an audit module is embedded (inbuilt) into the organization’s host application to track transactions on an ongoing basis.
- A SCARF is used to obtain data or information for audit purposes.
- SCARFs record transactions above a specified limit or deviation-/exception-related transactions. These transactions are then reviewed by the auditor.
- SCARFs are useful when regular processing cannot be interrupted.
Snapshot Technique
The following are the features of the snapshot technique:
- This technique captures snapshots or pictures of the transaction as it is processed at different stages in the system.
- Details are captured both before and after the execution of the transaction. The correctness of the transaction is verified by validating the before-processing and after-processing snapshots of the transactions.
- Snapshots are useful when an audit trail is required.
- The IS auditor should consider the following significant factors when working with this technique:
- At what location snapshots are captured
- At what time snapshots are captured
- How the reporting of snapshot data is done
Audit Hook
The following are the features of an audit hook:
- Audit hooks are embedded in the application system to capture exceptions.
- The auditor can set different criteria to capture exceptions or suspicious transactions.
- For example, with the close monitoring of cash transactions, the auditor can set criteria to capture cash transactions exceeding $10,000. All these transactions are then reviewed by the auditor to identify fraud, if any.
- Audit hooks are helpful in the early identification of irregularities, such as fraud or error.
- Audit hooks are generally applied when only selected transactions need to be evaluated.
Continuous and Intermittent Simulation
The following are the features of Continuous and Intermittent Simulation (CIS):
- CIS replicates or simulates the processing of the application system.
- In this technique, a simulator identifies transactions as per the predefined parameters. Identified transactions are then audited for further verification and review.
- CIS compares its own results with the results produced by application systems. If any discrepancies are noted, it is written to the exception log file.
- CIS is useful to identify the transactions as per the predefined criteria in a complex environment.
The following table summarizes the features of continuous audit tools:
|
Audit Tool |
Usage |
|
SCARF/EAM |
This is useful when regular processing cannot be interrupted. |
|
Snapshots |
Pictures or snapshots are used when an audit trail is required. |
|
Audit hooks |
When early detection of fraud or error is required. |
|
ITF |
Test data is used in a production environment |
|
CIS |
CIS is useful for the identification of transactions as per predefined criteria in a complex environment. |
Table 2.12: Types of continuous audit tools and their features
An IS auditor should be aware of the methods and procedures through which analysis and findings are reported to the audit committee and senior management. The effective reporting of audit findings and communicating the findings to all the stakeholders are very important parts of audit execution; these are covered in more detail in the next section.
Key Aspects from the CISA Exam Perspective
The following table covers important aspects from the CISA exam perspective:
|
CISA Questions |
Possible Answers |
|
What is the first step of conducting data analytics? |
The first step will be determining the objective and scope of analytics. |
|
Which is the most effective online audit technique when an audit trail is required? |
The snapshot technique. |
|
What is the advantage of an Integrated Test Facility (ITF)? |
Setting up a separate test environment/test process is not required. An ITF helps validate the accuracy of the system processing. |
|
Which is the most effective online audit technique when the objective is to identify transactions as per predefined criteria? |
CIS is most useful to identify transactions as per predefined criteria in a complex environment. |
Table 2.13: Key aspects from the CISA exam perspective
Reporting and Communication Techniques
Audit reporting and following up for closure are the last steps of the audit process. The effectiveness of an audit largely depends on how the audit results are communicated and how follow-up is done for the closure of recommendations. Effective verbal and written communication skills are key attributes of a good auditor. A CISA candidate is expected to have a thorough understanding of the elements of an exit interview, audit report objectives, the process and structure, and follow-up activities.
Exit Interview
Auditing is not about finding errors. It is about adding value to the existing processes of an organization.
A formal exit interview is essential before the audit report is released. The following are the objectives of an exit interview:
- To ensure that the facts are appropriately and correctly presented in the report
- To discuss recommendations with auditee management
- To discuss an implementation date
The exit meeting ensures that facts are not misunderstood or misinterpreted. Exit meetings help to align the audit team and auditee management on the findings that are presented, discussed, and agreed upon.
Audit Reporting
A CISA candidate should note the following best practices with respect to audit reporting:
- The IS auditor is ultimately responsible for senior management and the final audit report should be sent to the Audit Committee of the Board (ACB). If the IS auditor has no access to the top officials and the audit committee, it will impact the auditor’s independence.
- Before the report is placed with the ACB, the IS auditor should discuss with auditee management to determine the accuracy of the audit observations and to understand the correction plan.
- Sometimes, auditee management may not agree with the audit findings and recommendations. In such cases, IS auditors should emphasize the significance of the audit findings and the risk of not taking any corrective action.
- If there is any control weakness that is not within the scope of the audit, it should be reported to management during the audit process. This should not be overlooked. Generally, accepted audit procedures require audit results to be reported even if the auditee takes corrective action prior to reporting.
- To support the audit results, the IS auditor should have clear and accurate audit facts.
Audit Report Objectives
The following are the six objectives of audit reporting:
- The presentation of audit findings/results to all the stakeholders (that is, the auditees).
- The audit report serves as a formal closure for the audit committee.
- The audit report provides assurance to the organization. It identifies the areas that require corrective action and associated suggestions.
- The audit report serves as a reference for any party researching the auditee or audit topic.
- It helps in follow-ups of audit findings presented in the audit reports for closure.
- A well-defined audit report promotes audit credibility. This depends on the report being well developed and well written.
Audit Report Structure
An audit report includes the following content:
- An introduction to the report, which includes the scope of the audit, the limitations of the audit, a statement of the audit objective, the audit period, and so on
- Audit findings and recommendations
- Opinion about the adequacy, effectiveness, and efficiency of the control environment
Now you will see a rundown of the main objectives of follow-up activities.
Follow-Up Activities
The main objective of follow-up activities is to validate whether management has implemented the recommendations. An IS auditor needs to determine whether management has acted on corrective actions to close the audit findings. It is essential to have a structured process to determine that corrective actions have been implemented.
Follow-up activities should be taken on the basis of the timeline agreed on by auditee management for the closure of audit findings. The status of compliance should be placed at the appropriate level of management.
Although audit follow-ups are primarily applicable to internal audit functions, external audit firms may be required to do the follow-up if it is included in the letter of engagement.
Key Aspects from the CISA Exam Perspective
The following table covers important aspects from the CISA exam perspective:
|
CISA Questions |
Possible Answers |
|
What is the objective of an audit closure meeting? |
To ensure that there have been no misunderstandings or misinterpretations of the facts |
|
What is the objective of conducting a follow-up audit? |
To validate remediation action |
|
What is the best way to schedule a follow-up audit? |
On the basis of the due date agreed upon by auditee management |
Table 2.14: Key aspects from the CISA exam perspective
Control Self-Assessment
Control Self-Assessment (CSA), as the name suggests, is the self-assessment of controls by process owners. For CSA, the employee understands the business process and evaluates the various risks and controls. CSA is a process whereby the process owner gains a realistic view of their own performance.
CSA ensures the involvement of the user group in a periodic and proactive review of risk and control.
Objectives of CSA
The following are the objectives of implementing a CSA program:
- Make functional staff responsible for control monitoring
- Enhance audit responsibilities (not to replace the audit’s responsibilities)
- Concentrate on critical processes and areas of high risk
Benefits of CSA
The following are the benefits of implementing a CSA program:
- It allows risk detection at an early stage of the process and reduces control costs.
- It helps in ensuring effective and stronger internal controls, which improves the audit rating process.
- It helps the process owner take responsibility for control monitoring.
- It helps in increasing employee awareness of organizational goals. It also helps in understanding the risk and internal controls.
- It improves communication between senior officials and operational staff.
- It improves the motivational level of the employees.
- It provides assurance to all the stakeholders and customers.
- It provides assurance to top management about the adequacy, effectiveness, and efficiency of the control requirements.
Precautions while Implementing CSA
Due care should be taken when implementing the CSA function. It should not be considered a replacement for the audit function. An audit is an independent function and should not be waived even if CSA is being implemented. CSA and an audit are different functions, and one cannot replace the other.
An IS Auditor’s Role in CSA
The IS auditor’s role is to act as a facilitator for the implementation of CSA. It is the IS auditor’s responsibility to guide the process owners in assessing the risk and control of their environment. The IS auditor should provide insight into the objectives of CSA.
An audit is an independent function and should not be waived even if CSA is being implemented. Both CSA and an audit are different functions and one cannot replace the other.
Key Aspects from the CISA Exam Perspective
The following table covers important aspects from the CISA exam perspective:
|
CISA Questions |
Possible Answers |
|
What is the primary objective of implementing CSA? |
To monitor and control high-risk areas To enhance audit responsibilities |
|
What is the role of the auditor in the implementation of CSA? |
To act as a facilitator for the CSA program |
|
What is the most significant requirement for a successful CSA? |
Involvement of line management |
Table 2.15: Key aspects from the CISA exam perspective
Summary
In this chapter, you explored various aspects of audit project management and learned about different sampling techniques. You also explored different audit evidence collection techniques, reporting techniques, and practical aspects of CSA.
The following are some of the important topics that were covered in this chapter:
- The initial step in designing an audit plan is to determine the audit universe for the organization. The audit universe is the list of all the processes and systems under the scope of the audit. Once the audit universe is identified, a risk assessment is to be conducted to identify the critical processes and systems.
- Statistical sampling is the preferred mode of sampling when the probability of error must be objectively quantified.
- It is advisable to report the finding even if corrective action is taken by the auditee. For any action taken on the basis of audit observation, the audit report should identify the finding and describe the corrective action taken.
- The objective of CSA is to involve functional staff to monitor high-risk processes. CSA aims to educate line management in the area of control responsibility and monitoring. The replacement of audit functions is not the objective of CSA.
In the next chapter, you will explore the enterprise governance of IT and related frameworks.
Chapter Review Questions
Before you proceed to Chapter 3, IT Governance, it is recommended that you solve the practice questions from this chapter first. These chapter review questions have been carefully crafted to reinforce the knowledge you have gained throughout this chapter. By engaging with these questions, you will solidify your understanding of key topics, identify areas that require further study, and build your confidence before moving on to new concepts in the next chapter.
Note
A few of the questions may not be directly related to the topics in the chapter. They aim to test your general understanding of information systems concepts instead.
The following image shows an example of the practice questions interface.
Figure 2.7: CISA practice questions interface
To access the end-of-chapter questions from this chapter, follow these steps:
- Open your web browser and go to https://packt.link/WYjVC. You will see the following screen:
Figure 2.8: Chapter summary and login
You can also scan the following QR code to access the website:
Figure 2.9: QR code to access Chapter 2 questions
- Log in to your account using your credentials. If you haven’t activated your account yet, refer to Instructions for Unlocking the Online Content in the Preface for detailed instructions.
After a successful login, you will see the following screen:
Figure 2.10: Chapter summary and end-of-chapter question sets
- Click on any of the given sets to begin your practice quiz. The quiz sets are timed as you can see from the following image:
Figure 2.11: Practice questions interface with timer
When the timer runs out, the quiz will submit automatically. Attempt each quiz multiple times till you are able to answer all questions not just correctly, but within the time limit as well
Chapter Benchmark Score
Before moving on to the next chapter, it is recommended that you score an average of 75% on the end-of-chapter practice quizzes. By actively working toward meeting this benchmark score, you will ensure that you are well-equipped to tackle the concepts in the upcoming chapter.
