CISA Domain 1

The Process On
AUDITING INFORMATION
SYSTEMS

+91-97736-67874
sales@infosectrain.com
https://www.infosectrain.com
Overall understanding of the domain:
 Weightage - This domain constitutes 21 percent of the CISA exam
(approximately 32 questions)

 Covers 11 Knowledge statements covering the process of auditing

information systems

1. ISACA IS Audit and Assurance Standards, Guidelines, and Tools &

Techniques, Code of Professional Ethics & other applicable standard
2. risk assessment concepts and tools and techniques in planning,
examination, reporting and follow-up
3. Fundamental business processes & the role of IS in these processes
4. Control principles related to controls in information systems
5. Risk-based audit planning and audit project management techniques
6. Applicable laws and regulations which affect the scope, evidence
collection and preservation and frequency of audits
7. Evidence collection techniques used to gather, protect and preserve
audit evidence
8. Different sampling methodologies & other substantive/data analyti-
cal procedures
9. Reporting and communication techniques
10. Audit quality assurance (QA) systems and frameworks
11. Various types of audits & methods for assessing and placing reliance
on the work of other auditors or control entities

https://www.infosectrain.com sales@infosectrain.com Page No.1

Important concepts from exam point of view:
1. Audit Charter:
 Audit Charter outlines the overall authority, scope and responsibilities of
audit function
 Audit charter should be approved by Audit committee, senior management
 Internal audit function is always independent of management committee

Points to remember:

 When CISA question is on the approval of audit charter, the answer

should be senior most management, based on the options available.
 IS auditor’s role being more of reporting of audit observations and

ht ps:/ www.infosectrain.com/courses/cisa-certification-training/
giving an “independent audit opinion”

https://www.infosectrain.com sales@infosectrain.com Page No.2

2. Audit planning:
 Step 1 – Understanding of business mission, vision, objectives, process
which includes information requirements under CIA trait (Confidentiality,
Integrity and Availability of data)
 Step 2 – Understanding of business environment
 Step 3 - Review prior work papers
 Step 4 - Perform Risk analysis
 Step 5 - Set audit scope and objectives
 Step 6 - Develop audit plan/strategy
 Step 7 - Assign audit personal/resources

Point to remember: The first step in the audit planning is always under-
standing the business mission, objectives and business environment, then
analyzing the risk involved based in the audit scope.

 Audit planning includes –

1. Short term planning – considers audit issues that will be covered during
the year
2. Long term planning - audit plans that will take into account risk-related
issues regarding changes in the organization’s IT strategic direction that
will affect the organization’s IT environment.

https://www.infosectrain.com sales@infosectrain.com Page No.3

3. Risk analysis:
 Risk is a combination of the probability of an event and its consequence
(International Organization for Standardization [ISO] 31000:2009)

 Risk analysis is part of audit planning, and help identify risk and vulnerabili
ties so the IS auditor can determine the controls needed to mitigate those
risk

Point to remember: CISA candidate should be able to differentiate

between threat and vulnerability. Threat is anything that can exploit a vul-
nerability, intentionally or accidentally, and obtain, damage, or destroy an
asset. Vulnerability is Weakness or gap in a security program that can be
exploited by threats to gain unauthorized access to an asset

 Risk analysis covers Risk Management Framework – ISO 27005, ISO

31000

 Risk Assessment Process –The process starts with identifying the source
& events, then identifying the vulnerabilities associated with the sources, &
then analyzing the probability of the occurrence and the impact.

 Risk Management Process - It begins with identifying the business object

ives, the information assets that are associated with business, assessmen
t of risk, how to mitigate the risk (either to avoid or transfer or mitigate/
reduce the risk) and implementing controls to mitigate the risk)

Point to remember:

 CISA candidate should be aware of the difference between Risk

assessment and Risk management. Risk assessment is the process
of finding where the risk exists. Risk management is the second step
after performing risk assessment.

 Risk can be mitigated/reduced through implementation of controls/

third-party insurance, etc.

https://www.infosectrain.com sales@infosectrain.com Page No.4

4. Internal Controls:
 Internal controls are normally composed of policies, procedures, practices
& organizational structures which are implemented to reduce risks to the
organizations

 The board of directors are responsible for establishing the effective inter
nal control system

Point to remember: When CISA question is on the responsibility of

internal controls, the answer should be senior most management (BoD,
CEO, CIO, CISO etc) , based on the options available

 Classification of internal controls:

a. Preventive controls
b. Detective controls
c. Corrective controls

Point to remember: CISA question will be scenario based, where the

candidate should have a thorough understanding of all the three controls
and able to differentiate between preventive, detective and corrective

ht ps:/ www.infosectrain.com/courses/cisa-certification-training/
controls

 Preventive controls: are those internal controls which are deployed to pre
vent happening of an event that might affect achievement of organization
al objectives. Some examples of preventive control activities are:

 Employee background checks

 Employee training and required certifications
 Password protected access to asset storage areas
 Physical locks on inventory warehouses
 Security camera systems
 Segregation of duties (i.e. recording, authorization, & custody all handled
by separate individuals)

https://www.infosectrain.com sales@infosectrain.com Page No.5

 Detective controls: Detective controls seek to identify when preventive
controls were not effective in preventing errors and irregularities, particu
larly in relation to the safeguarding of assets. Some examples of detect-
ive control activities are:

 bank reconciliations
 control totals
 physical inventory counts

ht ps:/ www.infosectrain.com/courses/cisa-certification-training/
 reconciliation of the general ledgers to the detailed subsidiary ledgers
 Internal audit functions

 Corrective controls: When detective control activities identify an error or

irregularity, corrective control activities should then see what could or
should be done to fix it, & hopefully put a new system in place to prevent
it the next time around. Some examples of corrective control activities
are: ®

 data backups can be used to restore lost data in case of a fire or other
disaster
 data validity tests can require users to confirm data inputs if amounts are
outside a reasonable range
 insurance can be utilized to help replace damaged or stolen assets
 management variance reports can highlight variances from budget to
actual for management corrective action
 training and operations manuals can be revised to prevent future errors
and irregularities

https://www.infosectrain.com sales@infosectrain.com Page No.6

5. COBIT 5:
 Developed by ISACA
 A comprehensive framework that assist enterprises in achieving their
objectives for the governance & management of enterprise IT (GEIT)
 COBIT 5 based on 5 principles and 7 enablers

5 Principles 7 Enablers

1. Meeting Shareholders needs 1. Principles, Policies and Frameworks

2. End-to-End coverage 2. Processes

3. Holistic Approach 3. Organizational Structures

4. Integrated Framework 4. Culture, Ethics and Behaviour

5. Separate governance from 5. Information

management

6. Services, Infrastructure, Application

7. People, Skills and Competencies

(Note: A CISA candidate will

not be asked to specifically
identify the COBIT process,
the COBIT domains or the set
of IT processes defined in
each. However, candidates
should know what frame-
works are, what they do and
why they are used by enter-
prises)

https://www.infosectrain.com sales@infosectrain.com Page No.7

6. Risk based auditing
 Audit Risk - the risk that information may contain a material error
that may go undetected during the course of the audit.

 The audit approach should be as follows:

 Step 1 – Gather available information and plan through review of

prior year’s audit results, recent financial information, inherent risk
assessments
 Step 2 – Understanding of existing internal controls by analyzing
control procedures, detection risk assessment
 Step 3 – Perform compliance testing by identifying key controls to
be tested
 Step 4 – Perform substantive testing by test of account balances,
analytical procedures
 Step 5 – Conclude the audit - Audit report with independent audit
opinion

 Factors which influence audit risk

a. Inherent risk – Risk that an activity would pose if no controls/ other

mitigating factors were in place.
b. Control risk - Risk that a material error exists that would not be prev
ented or detected on a timely basis by the system of internal control
c. Detection risk - The risk that material errors or misstatements that
have occurred will not be detected by the IS auditor

ht ps:/ www.infosectrain.com/courses/cisa-certification-training/
d. Residual risk – Risk that remains after controls are taken into
account

Point to remember: A CISA candidate should know the differences

between preventive, detective and corrective controls. An example of
a question in the exam would be: Which of the following controls
would BEST detect

https://www.infosectrain.com sales@infosectrain.com Page No.8

7. Risk Treatment

 Risk identified in the risk assessment needs to be treated.

 Possible risk response options include:

 Risk mitigation—Applying appropriate controls to reduce the risk

 Risk acceptance—Knowingly and objectively not taking action, provid
ing the risk clearly satisfies the organization’s policy and criteria for
risk acceptance
 Risk avoidance—Avoiding risk by not allowing actions that would
cause the risk to occur
 Risk transfer/sharing—Transferring the associated risk to other par
ties (e.g., insurers or suppliers)

https://www.infosectrain.com sales@infosectrain.com Page No.9

8. Compliance testing Vs. substantive testing
 Compliance testing - determines whether controls
are in compliance
with management policies and procedures
Examples:
 User access rights
 Program change control
procedures
 Review of logs
 Software license audit

 Substantive testing -
gathers evidences to
evaluate the integrity of
individual transactions,
data or other information
Examples:
 performance of a
complex calculation on
sample basis

ht ps:/ www.infosectrain.com/courses/cisa-certification-training/
 testing of account balances

Point to remember:

 CISA question will be scenario based and the candidate should

able to differentiate between substantive testing & compliance
testing.
 statistical sampling is to be used when the probability of error
must be objectively quantified (i.e no subjectivity is involved).
Statistical sampling is an objective method of sampling in which
each item has equal chance of selection

https://www.infosectrain.com sales@infosectrain.com Page No.10

9. Audit Evidence
 any information used by the IS auditor to determine whether the entity
or data being audited follows the established criteria or objectives &
supports audit conclusions

 Techniques for gathering evidence:

 Review IS organization structures

 Review IS policies and procedures
 Review IS standards
 Review IS documentation
 Interview appropriate personnel
 Observe processes and employee performance
 Walkthrough

Point to remember: A CISA candidate, given an audit scenario,

should be able to determine which type of evidence gathering tech-
nique would be best

https://www.infosectrain.com sales@infosectrain.com Page No.11

10. Audit Sampling
 The subset of population members used to perform testing

 Two approaches of sampling:

a. Statistical sampling - using

24
mathematical laws of probability to
create the sample size
b. Non-Statistical
sampling -
Uses auditor
judgment to
determine the
method of
sampling

 Methods of sampling

a. Attribute sampling - Applied in compliance testing situations, deals

with the presence or absence of the attribute & provides conclusions
that are expressed in rates of incidence. Involves three types:

 Attribute sampling - selecting a small number of transactions & ma-

king assumptions about how their characteristics represent the full
population of which the selected items are a part
 Stop-or-sampling - This model help prevents excessive sampling of
an attribute by allowing an audit test to be stopped at the earliest po
ssible moment. It is mostly used when auditor believes that relatively
few errors will be found in populations
 Discovery sampling – It is mostly used when the objective of audit is

ht ps:/ www.infosectrain.com/courses/cisa-certification-training/
to discover fraud

https://www.infosectrain.com sales@infosectrain.com Page No.12

b. Variable sampling - Applied in substantive testing situations, deals
with population characteristics that vary, such as monetary values &
weights or any other measurement and provides conclusions related
to deviations from the norm. Involves three types:

 Stratified mean per unit – It a statistical model in which population is

divided into groups and samples are drawn from the various groups
 Un-stratified mean per unit – A statistical model in which sample
mean (Average) is calculated and projected as an estimated total.
 Difference estimation – Statistical model used to estimate the total
difference between audited values and unaudited values based on
differences obtained from sample observations.

c. Important statistical terms:

 Confident coefficient (CC) – A percentage expression of the probabil

ity that the characteristics of sample are true representation of the
population.
Stronger the internal control,
lower the confident
coefficient
 Level of risk – Equal to
one minus the confidence
coefficient [if confident
co-efficient is
95%, the level of
risk is
(100-95= 5%)]
 Expected error
rate (ERR) – An
estimate stated
as a percent of
the error that
may exist. The greater the ERR, greater the sample size

Point to remember: The IS auditor should be familiar with the different

types of sampling techniques and when it is appropriate to use each of
them

https://www.infosectrain.com sales@infosectrain.com Page No.13

11. Control Self-assessment (CSA)
a. What is CSA?
 assessment of controls made by the staff and management of the
unit or units involved
 management technique that assures stakeholders, customers and
other parties that the internal control system of the organization is
reliable.
 Ensures that employees are aware of the risk to the business & they
conduct periodic, proactive reviews of controls

b. Objectives of CSA
 to leverage the internal audit function by
shifting some of the control monitoring
responsibilities to the functional areas
 not intended to replace audit’s
responsibilities but to enhance them

c. Benefits of CSA
 Early detection of risk
 More effective and improved
internal controls
 Developing a sense
of ownership of the
controls in the
employees and
process owners
 reducing their
resistance to
control improvement
initiatives
 Increased communication between operational and

ht ps:/ www.infosectrain.com/courses/cisa-certification-training/
top management
 Highly motivated employees

https://www.infosectrain.com sales@infosectrain.com Page No.14

d. Disadvantages of CSA
 mistaken as an audit function replacement
 considered as an additional workload
 Failure to act on improvement suggestions could damage employee
morale
 Lack of motivation may limit effectiveness in the detection of weak

ht ps:/ www.infosectrain.com/courses/cisa-certification-training/
controls

e. Auditor’s role in CSA

 The auditor’s role in CSAs should be considered enhanced when audit
departments establish a CSA program.
 Auditors internal control professionals & assessment facilitators

https://www.infosectrain.com sales@infosectrain.com Page No.15

THANKS
https://www.infosectrain.com
sales@infosectrain.com
+91-97736-67874

https://www.infosectrain.com sales@infosectrain.com Page No.16