f--

t_

Chapter 1:
L I

Certified lnformation
Systems Auditor'
------+--
The Process of
of Auditing
t_ l
An ISACA. Cer$flcaflon
lnfo rmation Systems
I

L-
Section One: 0verview
l

t.
t_

Section Two: Content

1.3 ISACA IS Audit and Assurance Standards and Guidelines .................. ............. 31

.-

CISA Review Manual2OI4

ISACA. All Rights Reserved. 19
Section One: Ovewiew C h a pte r I -Th e P 16 ce ss o A u d it i n g I n fo im at i on Systerns
: f.,
thffiHr*ilr.o*
\-/#

KNOWLEDGE SIATEMENTS
Section One: 0yerview ib*
:

The CISA candidate mirst have a good rmderstanding of each of

.'a
the topics or areas delineated by the knorvledge statements. These
DEFINITION statements are the basis for the exam.
r. ..

This chapter on the process of auditing iniormation systems There are l0 knowledge statements within the domain covering
encompasses the entire practice of IS auditing, including the process of auditing information systems:
procedures and a thorough methodology that allows an KSI.I Knowledge of ISACA ITAudit andAssurance
IS auditor to perform an audit cn any given IT area in a Standards, Guidelines, andTools and Techniques; Code
professional nxulner. ofProfessional Ethics; and other applicable standards
KSl.2 Knowledge of risk assessment concepts, tools and
OBJECTIVES techniquesin an audit context
KSl.3 Knowledge of control objectives and controls related to
The objective of this domain is to ensure that the CISA candidate information systems
has the knowledge necessary to provide audit services in KS I .4 Knowledge of audit planning and audit project
accordance with IS audit standards to assist,the organization with management techniques, including follow_up
protecting and conholling information systems. KS I .5 Knowledge of fundamental business processes (e.g.,
purchasing, payroll, accounts payable, accounts
This area represents 14 percent of the CISA exam (approximately receivable) including relevant IT
28 questions). KSl.6 Knowledge of applicable laws and regulations that affect
the scope, evidence collection and preservation, and
frequency ofaudits
TASK AND KNOWLEDGE STATEM ENTS KS1.7 Knowledge of evidence collection techniques (e.g.,
observation, inquiry inspection, interview, data analysis)
TASKS used to gatheq protect and preserve dudit evidence
There are five tasks within the domain the process KSl.8 Knowledge of different sampling methodologies.
of auditing information systems: "of,ering KSl.9 Knowledge of reporting and communication techniques
Tl.l Develop and implement a risk-based IT audit strategy (e.g., facilitation, negotiation, conflict resolution, audit
in compliance with IT audit standards to ensure that key report structure)
areas are included. KS I . l0 Knowledge of audit quality assurance systems and
Tl-2 Plan specific audits to determine whether information frameworks
systems are protecte{ controlled and prcvide value to
the organization. Relationshlp of Task to KnowledSe Statements
Tl.3 Conduct audits in accordance with IT audit standards to The task stratements are vrhat the CISA candidate is expected
achieve planned audit objectives. to know how to perform- The knowledge statements delineate
Tl.4 Report audit findings and make,recommendations to each of the areas in which the CISA candidate must have a
key stakeholders to communicate results and effect good understanding in order to perform the tasks. The task and
change when necessary. knowledge statements are mapped in exhibit 1.1 insofar as it is
T1.5 Conduct follow-ups or prepare status reports to ensure possible to do so. Note that although there is often overlap, each
that appropriate actions have been taken by management task statement will generally map to several knowledge statements.
in a timely manner.

20 CISA Review Manual 2Or4

ISACA. All Rights Beserved.
 (Amm* Chapter l-The process of Auditing lnformation Systerrs 'Secfion One: Overview
\./

Tl.'t Develop and implement a risk-based lT audit

.1
KS1 Knowledge of rsACA rr Audit and rssuranc'e"standards,
strategy in compliance wih lT audit standards to Guiderines, and roorsiil
Techniques; Code of professional Ethics; and other
ensure that key areas are included. applicable standards
1M? Knowledge of risk assessment c.ncepts, toots ino techniques
in an audit context
--
9
5!1
KSI'5
Knowredge of contror objectives ano ionirors iJaieo
Knowledge offundamenhriusiness processes
to infbrmation systems
1e.g.,,purchasing, payroil, accounts
payable, accounts receivable) ineluding
relevant IT
KSl -6 Knowredge of appricabre raws and regltations fiit
affect the scope, evidence
collection and preservation, and frequency of audits
.-^ _
KSl.10
. _
Knowledge of audit quality assuranc'e .1lri*, .nO frumeworks
T1.2Plut specific audits to determine whether Ks1.1
information systems are protected, confolled and
Knowledge of IsACA lrAudit and Assurance standards,
Techniques; code of professionar Ethid; and other
Guidelines, ano roots at
provide value to the organization. appricabre standards
I
Itl] ? Knowledge ofrisk assessmentconcepts, toots ano t,irnniqrrsln
in auoit context
5l] I Knowredge of contror @ectives and ioniots reratea
to inioimatio; *;;r""*
KSl.4 Knowredge of audit pranning and audit project
dedffii id;i'qu'es, iniuoing
follow-up
KSl.5 Knowledge of fundamental business pr,cesses (e.g., purchasing, payroll,
accounts
payable, accounts receivable) including
relevant IT
KS 1.6 Knowredge of appricabre rawi and rugirationi
tnai affect the scope, evidence
collection and preservation, and frequency of audits
i
T1.3 Conduct audits in accordance with lT audit
I.
KSl.1 Knowledge of rsACA n'Audit and Assurance standards,
Guiderines, and roors and
standards to achieve planned audit objectives.
Techniques; code of professionar Etfrics; and
other applicabre standards
l1l1 ? Knowledge of risk assessment concepts, tools and techniques
in an audit context
l!!1
KS1.4
3 Knowtedge of contror.objectives ano ionirod reiated.to information
Knowledge of audit pranning and audit project minagement
,yriil -
techniques, incruding
follow-up
KS1'5 Knowredge offundamentar.business processes (e.g., purchasing, payrofi,
accounts
payable, accounts receivable) including relevant
lt
KSl .6 Knowledge of applicabre rawi and regirations that affect
the scope, evidence
collection and preservation, and frequenry of audits
Ks1.7 Knowledge of evidence.coflection teinniques
G.g., ooservation, inquiry inspection,
interview, data analysis) used to gatheq protedt ino preserve
rroit'uuiiirnrr---
KS1.8 Knowledge of different samplinqhethodolooies
KS.l'9 Knowledge of reporting and communication"techniques (e.g.,
faciritauon,
negotiatlon, conf lict resolution, audit report structure)
T1.4 Report audit findings and make recommendations
KS1.1
to key stakeholders to communicate resufts and
knowtedge of ISACA tTAudit and Assr*n.,
ffi
Techniques; code of professionar Ethics; and otherdboiicaore
--* -
effect change when necessary. iunoaiJs
[,nowledge of contror objectives and contrors rerated
1i91'3 tb information systems
KS1.7 Knowledge of evidence.colrection techniques (e.g., observation,
inquiry, inipection,
data anarysis) used to gathe6 proteit ino preserve auoit'eri,ienie
11erv|ew,
KSl'9 Knowledge of reporting and communicaiion techniques (e.g.,
faciritation,
negotiation, conf lict resolution, audit report structure)
T1.5 Conduct follow-ups or prepare status reports
to
ensure that appropriate actions have been taken
KSl .'l Knowledge of rsACA IT Audit and Assurance Standards,
Guiderines, and roors and
Techniques; Cnde of professional Ethics; and other
by management in a timely manner. applicable standards
KS'|.4 Knowledge of audit pranning and audit project management
techniques, including
follow-up

CISA Review Manual 2Ol4

ISACA. All Bights Reserved. 21
 Section One: Overview Chapter l-The Process of Auditing lnformation Systerns
G sflH*Hffm*^
\-/-

Xnowledse Statement Reference Guide

Each knowledge statement is explained in,terms of underlying concepts and relevance
of the knowledge statement to the IS auditor. It
is essential that the exam candidate understand the concepts. The knowledge statements
are what the IS auditor must know in order to
accomplish the tasks. Consequently, only the knowledge statements are detailed in this section

The sections identified in KSlrl-KSl.l0 are described in greater detail in section two of this chapter.

,(sr-l Knowleds of ISACA lT Audit and Assurance Standards , Guldellnes, and Tools and Techniques; Code of
Professionat Ethtcs; and other appticable standards

The credibility of any audit activity is largely determined by its adherence

1.3.'l ISACA Code of Professional Ethics
to commonly accepted shndards. lS Audit and Assurance Standards,
Guidelines, and Tools and Techniques, and the Code of professional Ethics,
are developed, circulated for discussion among audit professionals and lS Audit and Assurance 1.3.2 ISACA lSAuditandAssurance
issued by ISACA in order to provide a framewok of minimum and essential Standards, Guidelines, Standards Framework
references regarding how an lS auditor should perform work and act in a and Tools and 1.3.3 |SACAlSAuditandAssurance
professional manner. lS auditors should comply with ISACA lS Audit and Techniques Guidelines
Assurance Standards and follow guidelines, as relevant. Failure to follow 1 .3.4 ISACA lS Audit and Assurance Tools
standards or justify departure from guidelines may result in a violation of and Techniques
the Code of Professional Ethics. Although the CISA candidate is expected to 1.3.5 RelationshipAmong Standards,
have knowledge of these standards and guidelines, the exam will test the Guidelines, and Tools and Techniques
candidateb understanding of the application of the information rather than
asking "definitional" questions that simply test intormation recall.

K57.2 Knowledgp of rlsk assessment concepts, tools and techniques in an audit context

The overall audit plan of the organization should be based on business risk
lmpactof 11.4 RiskAnatysis
risk related to the use of lT, and the lS auditor is expected to be aware lS
assessment 0n
| 1.6.3 Audit Methodology
of the need to focus on this risk. ln addition, an audit must focus on the auditing | 1.6.5 Risk-based Auditrng
most critical elemenb of the function under review. For this reason, the 1.6.6 Audit Risk and Materiality
lS auditor should be aware of, and be able to put into practice, the risk 1.6.8 Risk Assessment Techniques
analysis techniques needed to identify and prioritize business risks within
he audit scope. This approach allows the lS auditor to create an audit plan Understanding risk 1 .4 Risk Analysi.:
that applies finite audit resources to where they are most needed. Although analysis concepts within
business risk is the most important driver of the audit program, the lS auditor an auditing context
must also take steps to minimize associated elements such as sampling Applying risk analysis 1.6.5 Risk-basedAuditing
risk, detection risk, materiality of findings, etc., since these may impact the techniques during audit 1.6.6 Aud[ Risk and Materiality
adequacy of the review. planning 1 .6.7 Risk Assessment and Treatment
1.6.8 BiskAssessmentTechniques

22 CISA Review Manual 2Ol4

ISACA. All Rights Reserved.
I

l
(hffi#:mffi* Chapter l-The process of Auditing lnformation
Sysf,erns Section One: Overview
\-/;;;*-

KS!'3 Knowled* of control obiectives and controts rclated to

information slsterns

lS auditing involves fte assessment of lS-related

controls put in place
to ensure the achievement of contror objectives. understanding
contror
objectives and. identi{ying the key controls that help achieve properly
a
controlled environment are essentiar for the effectiveness
and eitiiiency ot
Understanding control 1.5.1 lS Control Objectives
the ls,audit process. Auditing is, therefore, a process of ensuring
that contror
objectives 1.5.2 C0B|T 5
objectives are appropriately addresed by the associated contors. .1.5.4
c0B[' lS Controls
provides a comprehensive control framework that
can help the ls auditor
benchmark contror objectives. rhe crsA candidate wifl find c0Brr
to be an
excellent source of information when preparing for the clSA
exam.Ihe clSA
candidate should remember that the clsA exam will not
include questions
that ask for COBIT definitions nor will the candidate be asked
to quote any
particular C0BIT reference.

Knowled$e of audit plannln9, and audit prolect manarqment

technlgues, tncluding follow-up

To achieve audit objectives within a precise scope and budget, the audit
should be adequatery pranned. The performance of an rS 1.2.2 lS Audit Resource Management
aulitdoes not differ 1.2.3 Audit Planning
substantially from a project. Accordingly, audit planning
requires a similar 1.2.4
level of preplanning to ensure an appropriate and efficient Effect of Laws and Regulations on
use of audit
resources. Auditors need to understand project planning lS Audit Planning
and management
techniques to properly manage the auoii ano avoid lmpact of lS environment 1.6.2 Audit Programs
an inefficient utilization .1.6.3
of resources. The crsA exam wilr not include questions that on lS auditing practices AuditMethodology
are written for a
project managerwho is not an lS auditor. and techniques 1.6.9 Audit 0bjectives
2.11 Auditing [T Governance Structure and
lmplementation
2.13 Auditing Business Continuity
3.13 AuditingApplication Controts
3.14 AuditingSystems Development,
Acquisition and Maintenance
4.6 Auditing lnfrastructure and 0perations
5.5 Auditing lnformation Security
Management Framewok
5.6 Auditing Netwok lnfrasfucture
Security

KS1,5 Knowled@ of fundamental Dusiness processes (e.gl., purchaslng!,

payroll, 4ccounts payable, accounts
receivable) lncludi ng, relevant lT

To effectivety identify the enterprise's key risk, one must obtain an

understanding of the organization and its environment, specifically
Understanding risk 1.4 Risk Analysis
obtaining analysis concepts within
an understanding of the external and intemal factors affecting
the entity, an auditing context
the entitys seleclion and apprication of poricies and proceduris,
tne en-tity,s
objectives and strategies, and the measurement and Undershnding control 1.5..1 lS Control Objectives
review of the entity,i
performance. As part of obtaining this understanding, objectives 1.5.2 C0B|T 5
one must also obhin
an understanding of some key componenb such aithe 1.5.4 lS Controls
entity's strategic
management, business model, and corporate govemance processes
and the
kinds of transactions that the entity engages iri and
witr whom it transacts.
One must understand how those transactions flow through
and are capfured
into the information systems.

CISA Review Manual ZOl4

All Rights Reserved-
ISACA. 23
Section One: Overview
mationsysrerns
G Certitigd lnformation
Systems Auditw'

\-/
Ksl'6 Knowled$e of applicabte lawg and rcgutations that affectthescopejreyide
and frequency audlts. : .:.'€ffiffp,2*:'
of audtts, 'i,:.is p
:q€)qEFF,zo-" 'r"' -fsr:s rt' :-t'+f4!f,i.€f4 -."il***'--
- .- nce -collection and preservagon,
:- ,r:r,
".
r+.i+r,rq.sEiler4. r .A,,

Laws and regulations of any kind, incruding intemationar treaties;

central, Factors to consider in 1.6.11 Evidence
federal or local government; or industry-reiated.laws and regurations,
affect collection, protection and 1.6.19 Audit Documentation
the way that organizations conduct business, ahd very often deEimine
chain of custody of audit
scope, frequency and type of audits, and how reporting requireinpnts
evidence in an lS audit
are substantially affected. ln fraud investigations or legal p;oceedings,
maintaining the integrity of evidence throughout the evidence tife cycl'e
may
Special considerations in 1.8.2 ContinuousAuditing
be refe,ed to as the chain of custody when the evidence is crassifiid as audit documenbtion for
forensic evidence. The CISA candidate is expected to be awars cf, rather evidence
than a participant in, such specific evidence collection.

Ks7'7 Knowledgle of evidence collectlon techniques (e.g., observation, inquiry, inspection,

lnterview, data anatysts)
used to glather, protect and preserve audit evldence

0.ne essential audit concept is ttrat audit findings must be supported by

objective evidence. Therefore, it is essential to know the techniques us-ed
Application and relative 1 .6.1 5 Computer-assisted Audit Techniques
value of computer-
to gather and preserve evidence. rnformation is gathered from the auditees
assisted audit techniques
orfrom a variety of alternative sources, including: reference manuals;
accountants, banks, suppliers, vendors, etc.; and other related functional
areas of the business. lnformation is gathered through inquiry observation
and interviews, and analysis of data using computer-assisted auditing
techniques (CAATs). Electronic mejia, including the use of automated audit
software, may be used for preserving evidence that supports audit findings,
'
but care should be taken t0 preserve any ,,hard copy,,ttrat may constifutd
part of the audit evidence. ln all cases, it is important that
retention policies
for electronic evidence be sufficient to preserve evidence that supports
audit Techniques for obtaining L6.11
findings. As an intemational organization, ISACA recognizes that ihe .rules Evidence
evidence 1.6.12 lnterviewing and 0bserving
of evidence" will differ according to local and.nationai regislation, regutation
and culture; however, concepts such as the importance of forensic evidence Personnel in Performance of Their
are universal. Duties

Audit conclusions should be supported Uy retia[ie and relevant evidence.

Evidence collected during the course of an audit follows a life cycle. This
life cycle includes collection, analysis, and preservation and destruction of
evidence. The source of evidence should be reliable and qualifieG_i.e.,
from an appropriate, original source rather than obtained as a ,,comment,,
0r "hearsay"-and originate direcfly from a trusted source to help ensure
Computer-assisted audit 1 .6.15 Computer-assisted Audit Techniques
objegti.vrtV.As an example, system configuration settings copied by a system
techniques
administrator to a spreadsheet and then presented to an auditor would not
be considered as reliable since they would have been subject to atteration.
Audit evidence should include information regarding date bf creation and
original source. Since electronic evidence is more dynamic than hard copy
documents, security measures should be used to preserve the integrity of
evidence collected and provide assurance that the evidence has not been
altered in any way.

continuous auditing is a process by which the effectiveness and efficiency

of controls is measured primarily by automated reporting processes that
enable management to be aware of emerging risks or control weaknesses, Factors to consider in 1.6.1'l Evidence
collection, protection and 'l
without the need for a "regular'r audit. The result is that information flow to .6.19 Audit Documentation
management and implementation of corrective measures occur sooner. The chain of custody of audit
ls auditor should be aware of the techniques involved in continuous auditing evidence in an lS audit
in order to Iacilitate the introduction of these techniques, as appropriate. Th6 Special considerations in 1.8.2 ContinuousAuditing
ls auditor must not rely solely on continuous auditing techniques when there audit documentation for
is a high business risk and the continuous auditing techniquti deployed is evidence
not considered elaborate and exhaustive. This is the case when continuous
auditing as a process has been put in place recenfly-for example, when the 1.8.2 ContinuousAuditing
impact of control failure would be considerable. ln such cases, regular formal
audits must be scheduled to support and reinforce continuous auditing.

24 CISA Review Manuat 2Ol4

ISAGA. All Rights Reserved-
/h c'tinedtnrtrmation
Chapter l-The process of Auditing Information Syst::ms
- Section One: Overview
\-/;;**

K57.8 Knowledse of different sampfing rnetfiodolqgies

Compliance testing is evidence gathering forthe purpose of tesling

an enterprise's compliance with control procedures. This differs frdm
1.6.10 Compliance vs. Substantive Testing
substantive testing in which evidence is gathered to evaluate the
integrity
0f individual transactions, data or other information. There is a direct
correlation between the level of intemal controls and the amount Basic approaches to 1.6.13 Sampling
of
substantive testing required. lf the resurts of testing controls (compriance sampling and their
test$ reveal the presence of adequate intemal controls, then the ls auditor relation to testing
is
justilied in minimizing the subshntive procedures. approaches
conversery, if the contror
testing reveals weaknesses in cnntrols that may raise doubts about
the
completeness, accuracy or validity of fre accounts, substantive
testing can
alleviate those doubts. The efficiency and effectiveness of this testingian
be
enhanced through the use of sampling.

Sampling is performed when time and cost considerations precrude

a totar
verification of all hansactions 0r events in a predefined population.
The
population consists of the entire group of items
frat need io be examined.
The subs-et of population members used to perform testing
is called the
gample. sampling is used to infer characteristics about the entire population.
'
based on the characteristics of the sample. fur some time, tf,ere
tas Oeen
a focus on the ls auditor's ability to verify the adequary of intemal
controls
through the use of sampling techniques. This nas Lecome necessary
since
many controls are transactional in nature, which can make it
difficuit to
test the entire population. Howeveq sampling is not always warranted
since software may allow the testing of certain attributes across
the entire
population. Although a candidate is not expected
to become a sampling
expert, it is important for the candidate to have a foundational
understinding
of.the.general principles of sampling and how to design a relevant
and
reliable sample.

,(S1.9 Knowledge of reporting and communication technigues (e.!.,

facllitation, negotiatlon, conflict resol ution,
audit report structure)

Effective and clear communication can significanfly improve

the quality of 1 .3.6 lnformation Technology Assurance
audits and maximize their results. Audit findings stroutd Oe reported
and Framework (|'IAF) (Section
communicated to stakeholders with appropriate buy-in from the
auditees for 260G-Reporting Standards)
the audit process t0 be successful. Auditors should ilso take into
account the
motivations and perspectives of recipients of the audit report so that Applying various 1 .6.17 Communicating Audit Results
their
concerns may be properly addressed. Communication skills (both communication
written
and verbal) determine the effectiveness ofthe audit reporting process. techniques to the
Communication and negotiation skills are required tiroughout the reporting of audit results
audit
activity. success{ul resolution of audit findings with audities is
so that auditees wilr adopt the recommendaiions in the report
essential Applying communication 1.7 ControlSetf-assessment
and initiate techniques to facilitation 1.7.4 Auditor Role in CSA
prompt corrective action. This goal may require the
use of techniques such roles in control setf-
as facilihtion, negotiati,n and confrict resorution. rs auditors
shourd arso aSSeSSmenIS
understand the concept of materiality, i.e., the retative importance
of findings
based on business impact.

CISA Beview Manual 2Ot4

ISACA- All Rights Reservad. 25
Section ane: Overview Chapter |-The Process of Auditing lnformation Systems /h
\-/;ffi-
B**rn',p*

I(SI-IO Knowledsof audii qualityassurance s)rsterns and lrameworks

lS audi[ng is a branch of he broader field of auditing. Auditing shndards lmpact of lS environment 1.6.2 Audit ProErams
refer to minimum parameters fiat should be taken into account when on lS auditing practices 1.6.3 AuditMethodology
performing an audil However, there may be guidelines and additional audit and techniques 1.6.9 Audit 0bjectives
procedures ftat an auditor may wish to add in order to develop an opinion 2.11 Auditing lT Govemance Structure and
on he pmper functioning of controls. Most of the basic auditing practices lmplementation
and techniques are equally relevant in an lS audil The lS auditor should 2.13 . Auditing Eusiness Continuity
undershnd the impact of the lS environment on traditional auditing practices 3.13 Auditing Application Contols
and techniques to ensure that he basic objective of $e audit exercise is 3.14 Auditing Systems Development,
achieved. The practices and techniques to be used in a specific lS audit Acquisition and Maintenance
should be determined during trc audit planning stage and incorporated 4.6 Auditing lnfrastructure and Operations
into an audit program. ISACA does not define, or require knowledge of, any 5.5 Auditing lnformation Security
specific audit methodology, but expects the lS auditor t0 be aware of the Management Framework
general principles involved in planning and conducting an effective audit
program.
5.6 AuditingNetworklnfrastructure
Security

Contol self-assessment (CSA) is a process in which an lS auditor can act Points of relevance while 1.6.14 Using the Services of OtherAuditors
in the role of facilitator to the business process owners to help ttrem define using services of other and Experts
and assess appropriate controls. The process owners and the personnel auditors and experts
who run the processes use their knowledge and understanding of tre
business function to evaluate the performance ol controls against the
established control objectives, while taking into account the risk appetite ol
the enterprise. 1.7 ControlSelf-assessment
1.7.1 0bjectives of CSA
Process owners are in an ideal position to define the appropriate controls 1 .7.2 Benefits of CSA
since they have a greater knowledge of the process objectives. Ihe lS 1.7 .3 Disadvantages of CSA
auditor helps the process owners undershnd the need for controls, based on 1.7.4 Auditor Role in CSA
risks to the business processes. Results must be interpreted witr a certain
level of skepticism because process owners are not always objective when
Belevance of different 't.7.5 Technology Drivers for CSA
assessing their own activities.
technology drivers 1 .7.6 Traditional vs. GSA Approach
for CSA in the cunent
business environment

Relevance of different
approaches ol CSA in a
given context

Applying communication 1.7 ControlSelf-assessmenl

techniques to facilitation 1.7.4 Auditor Role in CSA
roles in control self-
assessments

SUGGESTED RESOURCES FOR R'RMER SruDY

Cascarino, Richard E.; Auditorb Guide to ITAuditing and ISACA, COBIT 5, USA, 2012, www.isaca orSkolit
Software Demo, 2il Edition,2012
ISACA,lTSfandards and Sammaries of Guidelines and
Davis, Chris; Mike Schiller; Kevin Wheeler; ITAuditing: Tools and Techniques for Audit and Assurance and Control
Using Controls to Protect Inforntation Assets, 2"d Edition, Professionals, USA, 2012, www.isaca org/standards
McGraw HiIl, USA,201l
Senft, Sandra; Flederick Gallegos; Aleksandra Davis;
Fox, Christopher; Paul Zonneveldt; IT Governance [nstitute; Informaion Tbchnologt Control andAudig * Edition,
IT Control Objectives for Sorbanes-Oxley, 2"d Edirton,lJSA, CRC Press, US L,2012
2006, www.isaca.org/sox

Note: Publications in bold are stocked in the ISACA Bookstore.

CISA Review Manual 2O14

ISACA. All Rights Resarved.
I
I

(ili3#*iffimr* Chapter |-The Process of Auditing Information Systems Sec.tion One: Overview
.- \-/;;;*

SEIF-ASSESSMENT QUESTI0NS l-5 An IS auditorperforming a review of an application,s

CISA self-assessment questions support the content in this manual
and provide an understanding of the tpe and strucfure of questions
that have rypically appeared on the exam.
euestions are written
in a multiple-choice format and designed for one best answer.
Each question has a stem (question) and four options (answer
choices)- The stem may be written in the form of a question or an
incomplete statement. In some instances, a scenario or a description
problem may also be included. These questions normalty include a
description ofa situation and require the candidate to answer two
or more questions based on the information provided. Many times
a question will require the candidate to choose the MOST likely or
BEST answer among the options provided.
l-6
ln each case, the candidate must read the question carefully,
eliminate known incorrect answers and then make the best choice
possible. Knowing the format in which questions are asked, and
how to study and gain knowledge of what will be tested, will help
the candidate correctly answer the questions.
controls finds a weakness in system software that could
materially impact the application. The IS auditor should:
A. disregard these control weaknesses since a system
software review is beyond the scope of this review.
B. conduct a detailed system sof.tware review and report
the control weaknesses.
C. include in the report a siatement that the audit was
limited to a review of the application's conEols.
D. review the system software controls as relevant and
recommend a detailed system software review.
Which of the following is the MOST important reason why
an audit plaruring process should be reviewed at periodic
intervals?
A. To plan for deployment of availabie audit resources
B. To consider changes to the risk environment
C. To provide inputs for documentation of the audit charter
D. To identift the applicable IS audit standards

1-l Which of the following outlines the overall authority to

perform an IS audit? l-7 Which of the following is MOST effective for
implementing a conkol self-assessment (CSA) within
A. The audit scope, with goals and objectives business units?
B. A request fiom management to perform an audit
C. The approved audit charter A. Informal peer reviews
D. The approved audit schedule B. Facilitated workshops
C. Process flow narratives
D. Data flow diagrams
l-2 In performing a risk-based audit, which risk assessment is
completed initially by the IS auditor?
1-8 The FIRST step in planning an audit is to:
A. Detection risk assessment
B. Control risk assessment A. define audit deliverables.
C. lnherent risk assessment B. finalize the audit scope and audit objectives.
D. Fraud risk assessment C. gain an understanding of the business, objectives.
D. develop the audit approach or audit strategy.

1-3 While developing a risk-based audit program, on which of

the following would the IS auditor MOST likely focus? 1-9 The approach an IS auditor should use to plan IS audit
coverage should be based on:
A. Business processes
B. Critical lT applications A. risk.
C. Operational contols B. materiality.
D. Business strategies C. professional skepticism.
D. sufficienry of audit evidence.

l-4 Which of the following types of audit risk assumes an

absenceof compensating controls in the area being l-10 A company performs a daily backup of critical data and
reviewed? software files, and stores the backup tapes at an offsite
Iocation. The backup tapes are used to iestore the files in
A. Conkol risk case of a disruption. This is a:
B. Detection risk
C. [nherent risk A. preventive control.
D. Sampling risk B. management control.
C. corrective control.
D. detective control.
CISA Review Manual 2Ol4
ISACA. All Rights Reserved. 27
 Section One: Overview Chapter l-The process of Auditing
ANSWERS T0 SErF-ASSESSMENT
QUESTTONS
1-l C The approved audit charter o.utlines the auditor,s
responsibility, authority and accountability.
The
audit scope is specific to one,audit and does not
grant authority toperform an audit. A request
from
management to perform an audit is not sufficient
because it relates to a specifig audit. The.-approved
audit schedule does not grant authority to pi.form
an audit.
i
l-2 C lnherent risks exist independ€ntly ofan audit and
can occur because ofthe nahire ofthe business.
To
successfully conduct an audii, it is important
to be
aware ofthe related businessproc"rr.r. To perform
the audit the IS auditor needslo understandthe
business process, and by understanding the
business
' process, the IS auiitor better understands
&e
inherent risks.
1-3 A A risk-based audit approach focuses on the
understanding ofthe nature ctfthe business and
being
able to identifu and categoriie risk. Business
risks
impact the long-term viabiliry of a specific business.
Thus, an IS auditor using a risk_based audit approach
must be able to understand business processes.
14 C The risk level or eiposure without taking into
account t}re actions that management has taken
or
might take is inherent risk. Control risk is ttre risk
that a material error exists tlpl will not be prevented
or detected in a timely manner by the system
of
intemal controls. Detection risk is the risk that
a
material misstatement with a management assertion
will not be detected by the auditor,s substantive
tests. It consists of two components, sampling
risk and nonsampling risk. Sampling risk is the
risk that incorrect assumptions.are made about the
characteristics of a population flom which a
sample
is taken. Nonsampling risk is the detection risk
not
related to sampling; it can be due to a variety
of
reasons, including, but not limited to, human
error.
1-5 D The IS auditor is not expectedto ignore control
weaknessesjust because they are outside the
scope
ofa current review. Furtheg the conduct ofa detailed
systems software review may hamper the audit,s
schedule and the IS auditor may not be technically
competent to do such a review. at this time. If there
are contol weaknesses that have been discovered
by
the IS auditoq they should be disclosed. By
issuing a
disclaimer, this responsibility would be waived. Hince,
the appropriate option would be to review the
systems
software as relevant to the review and recommend a
detailed systems software review for w{rich additional
resowces may be recommended.
2A
lntormation Systerns
Gs$Hm*
\-/;;tu-
1-6 B
Short- and long-terrn issues that drive audit planning
can_be heavily impacted by changes to tfre risk
environment, technologlgs and business processes
of the enterprise. planning for deployment
of
available audit resources is determined by
the audit
assignments planned, which is influenced
by the
pla194$ nrogess. The audil gfuaft.r reflects-the
mandate of top-management to the audit fi.rnction
and resides at a more absfact level. Applicabiiity
of IS.audit standards, guidelines and prlcedures'
is universal to any audit engagement and
influenced by short- and long-term issues.
is not
r-7 B Facilitateil workshops work well within business
units. Process flow narratives and data flow
diaerams
would not be as effective since they would not
necessarily identify and assess all control
iszues.
Informal peer reviews similarly would be less
effective for the same reason.
l-8 c The first step in audit planning is to gain an
understanding of the business,s mission,
objectives
and purpose, which in turn identifies tfr"
policies, standards, guidelines, procedures,
."i"r-i
and
organization structure. All otherchoices
are
upon having a thorough understan{ing of
{eryndent
the business's objectives and purpose.
l-9 A Standard 55, Plaruring, establishes standards
and
P.rfides guidance on planning an audit. It requires a
risk-based approach.
1-10 C A corrective control helps to correct or minimize
the impact of a problem. Backup tapes can
be
u.sed for restoring the files in case of damage
of
files, thereby reducing the impact of a disription.
Preventive controls are those that avert probiems
before they arise. Backup tapes cannot be used
to prevent damage to files and hence cannot
be
classified as a preventive contol. Management
confrols modifr processing systems to minimize
a
repeat occurrence ofthe problem. Backup tapes
do
not modify processing systems and henci
do not fit
the definition of a management conkol.
Detective
conkols help to detect and report problems
as they
occur. Backup tapes do not aid in detecting
errorsl
CISA Review Manual 2Ol4
ISACA, All Rights Reserved.
I
I
(hsffiml*ili." Chapter |-The Process of Auditing lnformation Sysfems
\-/ *;;*
Section Two: Gontent
1.1 QUTCK REFERENCE
Chapter 1 outlines the framework for performing lS auditing, specifically
-
including those mandatory requirements regarding lS auditbr mission
and activig, as well as best practices to achieve an appropriate lS
auditing outcome. CISA candidates should have a sound understanding
of the following items, not only within the context ol the present chapter,
but also to correctly address questions in related subject areas. lt is
important to keep in mind that it is not enough to know these concepts
from a definitional perspective. The CISA candidate must also be able
to identify which elements may represent the greatest risk and which
controls are most effective at mitigating tris risk. Examples of key topics
in this chapler include:
. lS auditor roles and associated responsibilities, including expected
audit outcomes: differences between lS auditing tasks within an
assurance assignment and those within a consulting assignment.
o The need for audit independence
and level of authority within the
internal audit environment as opposed t0 an extemal context.
. Minimum audit planning requirements for an lS audit assignment,
regardless of the specific or particular audit objective and scope.
. Understanding the required level of compliance with ISACA standards
for lS auditing, as well as for ISACA guidelines.
. When planning audit work, the importance of clear identification of the
audit approach related t0 controls defined as ,,general" versus auditing
controls that are defined as "application controls.,'
. Scope, field work, application and execution of the concepts included
in "audit risk" versus "business risk."
. The key role of requirements-compliant audit evidence when
lupporpng the credibility of audit results and reporting.
. The reliance on electronic audit work papers and evidence.
. Purpose and planning opportunities of compliance testing versus
substantive testing.
. Audit responsibility and level of knowledge when considering legal
requirements affecting lT within an audit scope.
. The lS risk-oriented audit approach versus the complementary need
for lS auditors to be acquainted with diverse lS standards
and frameworks.
. Understanding the difference between the objectives of implemented
controls and control procedures.
1.2 MANAGEMENT OFTHE ISAUDIT
FUNCTION
The audit function should be managed and led in a manner that
ensures that the diverse tasks performed and achieved by the
audit team will fulfill audit function objectives, while preserving
audit independence and cornpetence. Furthermore, managing
the audit function should ensure value added contributions to
senior management regarding the efficient management of IT and
achievement of business objectives.
1.2.1 ORGAN|ZAT|0N OFTHE tS AUDTI FUNCTTON
IS audit services can be provided externally or internally.
The role of the iS internal audit function should be established
by an audit charter approved by senior management. IS audit can
be a part of internal audit, fi-rnction as an independent group, or
CISA Review Manual 2OI4
ISACA. All Rights Reserved.
Section Two: Content
ntegrated within a financial and operational audit (see
exhibit 1.9) to provide lT-related control assurance to the
financial or management auditors. Therefore, the audit charter
may include IS audit as an audit support function. The charter
should clearly state manasementb responsibility and objectives
for, and delegation of authority to, the IS audit function. This
document should outline the overall guthority, scope and
responsibilities of the auclit function. The highest level ol
management and the, audit committee, if one exists, should
approve this charter. Once established, this charter should be
changed only ifthe change can be and is thoroughlyjustified.
ISACA IS auditing standards require that the responsibility,
authority and accountability of the IS audit function are
appropriately documented in an audit charter or engagement
letter (S I Audit Charter). It should be nored that an audit charrer
is an overarching document that covers the entire scope ofaudit
activities in an entity while an engagement letter is more focused
on a particular audit bxeicise that is sought to be initiated in an
organization with a specific objective in mind.
If IS audit services are provided byan external firm, the scope
and objectives ofthese services should be documented in a
formal contract or statement of work between the contracting
crganization anC the service provider.
ln either case, the internai audit function should be independent
and report to an audit commiftee, if one exists, or to the highest
management level such as the board of directors.
1.2.2 IS AUDIT RESOURCE MANAGEMENT
IS technology is constantly changing. Therefore, it is important
that IS auditors maintain their competency through updates
of existing skills and obtain training directed toward new
audit techniques and technological areas. ISACA IS Auditing
Standards require that the IS auditor be technicarly competent
(S4 Professional Competence), having the skills and knowledge
necessary to perform the auditor's work. Further, the IS auditor is
to maintain technical coiripetence through appropriate continuing
professional education. Skills and knowledge should be taken into
consideration when planning audits and assigning staffto specific
audit assignments.
Preferably, a detailed stafftraining plan should be drawn for the
year based on the organization's direction in terms of technology
and related risk that needs to be addressed. This should be
reviewed periodically to ensure that the training effiorts and
results are aligned to the direction that the audit organization is
taking. Additionally, IS audit management should also provide the
necessary IT resources to .oroperly perform IS audits ofa highly
specialized nature (e.g., tools, methodology, work programs).
1.2.3 AUDIT PTANNI-NG
Annual Planning
Audit plaruiing consists of both short- and long-term planning.
Short-term planning takes into account audit issues that will be
covered during the year, lvhereas long-term planning relates to
audit plans that will take into account risk-related issues regarding
changes in the organization's IT strategic direction that will affect
the organization's IT environment.
29
 section Two: content chapter l-The process of Auditing rnformatio,
systerns
@ffi*
All ofthe relevant procesf?s that represent the
the entity's business should Ue
blueprint of into consideration system implementationfupgrade
inctuaea n tt e urdt rrrive.s". current and fuhrre technologies,,equiremenL"from
deadlines,
The audit rniverse ideally li*s-
all rfr" p."""rres
that may be owners, and IS resource limitations.
busi.ress process
considered for audit. Each of these"f p*.*", *uy
be subjected to "
or quantitarive risk assessmeot by
lTitiol*
ur resp-ect to define( relevant risk
evatuating the risk When planning an audit, the IS auditor
must have an
factors, fne rist factoi are
those factors that influence the unqerstandmg of the overall environment
of risk scenarios. For example, for
frequency *r;;;;;"r#;*, should include a general understanding
under review. This
an *lt;;;g"d in retail p-ractices and tunctions relaling
oftfr" rJou, business
business, reputation can be a criticat;stli"i#rn"
evaluation the types of information systems
to rh";;a;;Gias well as
of risk should ideally be based on inpu,,
process o\4,ners. Evaluation
to*
,fre business
and technology supporting the
activity. For example, the iS auditor.h;;;;?r*;tiar
ofthe risk factors should be based with the
regulatory environment in which th"
on objective criteria, although subjectiviry
.urrrrot U" completely bu;;r, ;;;"r.
.avoifd. For example, in respect to ..putution ru.tor, the criteria
based on which inputs can be solicitea
f..*ifr"1"siness may be frfo,y
audit planning, the IS auditor should
]o indicated perform the
rated as: l steps in exhibit 1.2.
. Hjqfr-A process issu.e rnay iesutt in damage
to the reputation
of the entity which will taki more than
. si* i_rortin to recover
Medium-A process
issue may result in a*.,ug" to tfr" .
reputation of the entity which will take
less than six months but 9.?i!_r,
understanding of the.business,s
*irrionlltrrr,
more than three months to recover inrormation r,,iJ p,ocrrsing
. Low-A process issuemay
igll:::li"r:,Ti'"'j1.y,Ill$luoe
reqrirements such as availabitity, irt.dty,
;ilil
result in damage to the reputation technology, and information con'fiOentLtit1l.
--Y-' 'a, lni,
s"v ourin.r.
the entiry which will take iess than of .
three;;"r;, to recover
-. Understand changes in business
enviionrirent 0fthe auditee.
Review priorwork papers.
In this example, the defined time frame . ldentify shted contents such as policies,
aspect ofthe criteria, and the subjective
represents the objective
guidelines, procedures ano *''
standards and required
organization'.t*ri,ir.
be found in the business process
aspect ofthe criteria can . 1.19* a risk analysis to nefp in Oeslgnlngih, quv^
time frame-whether it ii more than
owners, determination of the . Set the audit scope and audit objectirrr. " "'-
uuOit rfrn.
Pru
six ,.""rfrrl, f".s than three
months. Once the risk is evaluated
for each..f.."* factor, an :
o ?^rl:Pq ry
audit approach or audit srratesy
RSstg[ personnel resourcest0 the
audit.
overall^criterion may be defined to r
o.t"..rrirr"iiJoveral risk of Address engagement logistics.
each of the processes.

IS Auditing Standards require the IS auditor

The audit plan can then be conskucted
to include all ofthe llAC+
IS audit
to plan the
work to address tire audiiobjectiv"l
processes rhat are rated..high,,,*hi.h
*;ui;;;;iesent the ideal applicable professional auditing
unJ..*pfy *1,f,
annual audit plan. However, inpractice, ,t*;*d. is;ifa.orlng). The IS
required to execute the..ideal'l'plan
*h"o ti"'."ro*", luOitoJ
should develop an audiiplan that t;;;;
consideration
*"'ugr."d on, often the the obiectives of the auditee retevant
available resources arc not sufficient to tf,e;;;;"" and its
to eiecute the entire..ideal,, technology infrastructure. Wh"."
plan. This analysis will help thb app.opi-u", ,i," r, auditor
audit tu .i;;;"monstrate to should also consider ft".u.:1 unOeiieview
top management the gap in resourcing ana its retationship to
anU gv" top management the, or,Saliz3tr^on (strategically,
a good idea of the amount of n"anciaf ty analo.iperationally)
risk that-manui"_.rr is accepting if and obtain information on the strategi"
it does not add to or augment the existing
uu"ai, ...o*".r. strategic plan. The IS auditor should
pf*, ,".f*.g
the IS
have
auditee's information technology u."Ht."t*"
*
rr.rj"..t*Oing of the
Analysis ofshort- and long_term issues *A*technological
should occur at least direction to design a plan appropriate
annually' This is necessary to take for the p..r.r, and, where
into account new control appropriate, fuh.ue technology of the
issues, changes in the risk environm."r, auditee.'
i."f,".f"*i". una
business processes; and enhanced
."rfr"rl"" i..tiiques. The Steps an IS auditor could take to gain
results of this analvsis for planning an understanding ofthe
n ,t"" uuOii u"iivities should business include:
be reviewed by senior arait manaiem;
audit comminee, if avaitable,
;;-;p;ed
by the . Reading background
material including industry publications,
directors and communicated to
o, uii..n"rir"ty Jiiil
u.*a annual reports and independent financi-al
*;t;,
"r
relevant f"*f, if..runugement. ' Reviewing prior audit reports or fErerated reports (from
reports
The annual planning should be externar
upd".J ii"ry t"/aspects ofthe or intemal audits, or specific reviews
risk environment have changed ,u"t
1".g., ,.qririiori n"* regulatory . Reviewing business and rerriews)
issues, market conditions). IT long_term ,our.giJpfun, ^'.ffitory
. Interviewing key managers
to understand business issues
. Identifuing_specific regulation,
I n d iv i d u a t Audit Assifnrnents . Identifring IT flmctions
uppticaUle toii
In addition to overall annual plrioning, or related activities tt aihare
each individual audit outsourced
tee.,
assirrnenl Ue adequatetilpla;;d. The-ii
lmst
unoerstend that other considerdiions,
."0*. rt . Touring key organization
facilities
"rfO
such as the results ofperiodic
ris\ ayesqents, changes i" tr," appii"utio,
evolving privacy issues ana regullqorf
oi t
"iil}ogy,
*a An-other basic component of plannrng
is the matching of available
oquL.*.rq impact audit resources to the tasks as definei
rn ,fr"
the overall approach to the audit. ^ay The IS
m"iS uualt* rf,orlO utro tuL" audiror who prepares the plan rt orta "rJillan.
.on.iJ.rli. Lqui."-"nr.
30
CISA
levievv Nlanual 2Ot4
ISACA. At! Rights Reserved.
 (hsmm** Chapter l-The process of Auditing Information Systerns Sectioa Two.- Content
\./=k-

of the audit project, staffing resources and

other constraints. This
matching exercise should consider the needs
ofindividual audit
prqiects as well as the overall needs
of the audit department.
as
increasing the level of conkol ofbusiness processes
1{o_l]egtive
and the.information systems supporting
them, the IS auditors have
to consider the impact of Sarbanis-Oley
as part of audit planning.

1.2.4 EFFECT OF LAWS AND REGUI..ATIONS ON A similar exampt. of ."gututo.y requirement are the
IS Basel
AUDIT P1ANNING Accords (I, II and III). The Basel Accords regulate
the minimum
Each organization, regardless of its size or the amount of capital for financial organizationJased
industry within on the level
which it operates, will need to comply with a number of risk they face. The Bavl Committee on Banking
of Supervision
govemmental and external requirements related recommends conditions and capital requirements
to computer that should be
system practices and controls and to the manner
.
fulfilled to manage risk exposure. fh"r"
in which will ideally
computers, programs and data are stored and result in an improvement in: "onaition,
used. Additionally, . Credit risk
business regulations can impact the way
data are processed, . Operational risk
kansmitted and stored (stock exchange, central
banrs, etc.) . Market risk
Special attention should be given to these issues
in industries
that are closely regulated. The banking industry The following aIe steps an IS auditor would perform
worldwide has to determine
severe penalties for banks and their officers an organizaiion's level of compliance with
should a bank be eiternal requirements:
unable to provide an adequate level ofservice . Identifr those government
due to security or other relevant external
breaches. Inadequate security in a bank's requirements dealing with:
online portal can result
in loss of customer funds. In several countries Internet
service - Electronic data, personal data, copyrights, e_commerce,
prwiders (ISPs) are subject to laws regarding e-signatures, etc.
confidentialiry and
service availability. - Computer system practices and controls
- The manner in which computers, programs and data are stored
Because of growing dependency on information systems
a
and
-The organization or the activities of infomration technology_
related technology, several countries are making services
efforts to add
tegat regrrtations conceming IS audit. The of these )egal - IS audis
regulations pertains to: "o.,,Ir, . Document applicable laws
and regulations.
. Establishment of regulatory . Assess whether the
requirements management;f the organization and the IS
' Responsibilities assigned to corresponding entities function have considereil the relevant extJrnal requirements
in
. Financial, operational and making plans and in setting policies, standards
IT audiifunctions and p.ocedu.es,
as well as business application featLres.
Managei-rent personnel as well as audit management,
at all levels,
' Review internal tS departrnent/fu nction/activ ity documents that
should be aware of the external requirements aooress adherence to laws applicable to the
lelevant to the goals industry.
*1 qlTr of the organization, and to the responsibilities and . Determine adherence to established
procedures that address
activities of the information services departrnent/fu these requirements.
nction/activity.
There are two major areas of concern: legal
requkements
' Determine if there are procedures in place to ensure contracts or
(l:rws, regulatory and contractual agreemJnts) agreements with external IT services providers reflect any legal
placed on audit
or IS audit, and legal requirements placed onihe requirements related to responsibilities.
auditee and its
systems, data management, reporting, etc.
These areas would
rmpact audit scope and audit objectives. The It is expected that the organization would have
latter is important a legal cornpliance
to internal and external auditors Legal issues function on which the IS conhol practitioner coulfrety.
also impact the
organizations'business operations in t"..,of comptiance with
ergonomic regulations, the US Health lnsurance portability
and Accountability Act (HIPAA), protection
of personal Data
Directives and Electronic Commerce within
the European
Community, fraud prevention within banking
organizations, etc.

o1r1qb of strong contol practices

|n
Act of-2002,
is the US Sarbanes_Ox_ley
which requires evaluating an organization,s internal 1.3 ISACA IS AUDITAND ASSURANCE
confrols. Sarbanes-Oxley provides for new
corporate govemance
rules, regulations and standards for specified STANDARDS AND cutDEUI{ES
public companies
including US Securities and Exchange Commission (SEb)
registrants. The SEC has mandated the use of
a recognized internal 1.3.1 ISACA CODE OF PROFESSIONAL ETHICS
control framework. Sarbanes-Oxley requires organiitions ISACA sets forth this Code of professional
to Ethics to guide the
select and implement a suitable intemal contol-framework. professional and personal conduct
The ofmembers ofthe association
Internal Control-Integrated Frameworkfiom the Committee of and./or its certification holders.
Sponsoring Organizations of the Treadway Commission (COSO)
has become the most commonly adopted hamework
by public
companies seeking ro comply. Since the US Sarbanes{xleyAct ha.s

CISA Review Manual 2Ol4

ISACA. All Rights Reserved. 31

Section Two: Content Chapter l-The Process
Members and ISACA certification holders shall:
1. Support the implementation of, and encourage compliance
with, appropriate standards, procedures and iontrols for
information systems.
2. Perform their duties with objectiviry, due diligence and
professional care, in accordance with professional standards
and best practices.
3. Serve in the interest of stakeholders in a lawful and honest
manner, while maintaining high standards of conduct and
. glaract9r, and not engage io acts discreditable to the pofession.
4. Maintain the privacy and confidentiality of information
obtained in the course oftheir duties unless disclosure is
required by legal authoritv. Such information shall not be used
for personal benefit or released to inappropriate parties.
5. Maintain competency in their respective fields and agree to
undertake only those activities that they can reasonably expect
to complete with professional competence.
6. Inform appropriate parties of the results of work performed,
revealing all significant facts known.
7. Support the professional education ofstakeholders in
enhancing their understanding of IS security and control.
Failure to comply with this Code of professional Ethics can result
in an investigation into a member's and./of certification holder!
conduct and, ultimately, in disciplinary measures.
1.3.2 ISACA IS AUDITAND ASSURANCE STANDARDS
FRAMEWORK
The specialized nature of IS auditing and the skills and knowledge
necessary to perfbrm such audits require globally applicable
standards that pertain specifically to IS auditing. One of the most
important functions of ISACA is providing information (common
body of knowledge) to support knowledge requirements. (see
standard 34 Professional Competence.)
One of ISACA's goals is to advance standards to meet this need.
The development and dissemination of the IS audit and assurance
standards is a cornerstone ofthe association's professional
confibution to the audit community, The IS auditor needs to
be aware that there may be additional standards, or even legal
requirements, placed on the auditor.
The objectives ofthe ISACA IS audit and assurance standards
are to inform:
. IS auditors of the minimum ievel of acceptable
perfoqmance
required to meet the professional responsibilities set out in the
Code ofProfessional Ethics for IS auditors.
. Management and other interested parties
of the proiesiion's
expectations concerning the work of audit practitioners.
32
;-=
of Auditing lnformation Systems
/As*Hmp"
\-/;#-
. Holders ofthe CISA certification
should understand that failure
to comply with these standards may result in an investigation
into the CISA holder's conduct by thg ISACA Board of
Dire-ct9rs appropriate ISACA committee and may ultimately
9r
result in disciplinary action.
The framework for the ISACA IS audit and assurance standards
provides for multiple levels of documents:
. Standards define mandatory requirements
for IS audit and
assurance and reporting.
. Guidelines provide guidance in applying
IS audit and assurzutce
Standards. The IS auditor should consider them in determining
how to achieve implementation of the above standards, use
professional judgment in their application and be prepared to
justify any difference.
. Tools andtechniques provide
examples ofprocesses an IS
auditor might follow in an audit .rgug"-".rt. The tools and
techniques documents provide information on how to meet ihe
standards when completing IS auditing work, but do not set
requirements.
xdiii:.inil€
qeao$j
r,ryYr,#.4 al
eY:{
Audttinf Standards
The IS audit and assurance standards applicable to IS
auditing are:
General
. 1001 Audit Charter:
- 1001 . I The IS audit and assurance function shall
document the audit function appropriately in an audit
charter, indicating purpose, responsibility, authorify and
accountability
- 1001.2 The IS audit and assurance function shall have the
audit charter agreed upon and approved at an appropriate
level within the enterprise.
. 1002 Organisational Independence:
- 1002.1 The IS audit and assurance function shall be
independent of the area or activity being reviewed to permit
objectivccompletion of the audit and assurance engagement.
. 1003 Professional Independence:
- 1003.1 The IS audit and assurance professional shall be
independent and objective in both attitude and appearance in
all matters related to audit and assurance eng?gements.
. 1004 Reasonable Expectation:
- 1004.1 The lS audit and assurance professional shall
have reasonable expectation that the engagement can be
completed in accordance with these IS artdit and assurance
standards and, where required, other appropriate professional
or industry standards or applicable regulations and result in a
professional opinion or conclusion.
- 1004.2 The IS audit and assurance professional shall have
reasonable expectation thatthe scope ofthe engagement
enables conclusion on the subject matter and addresses
any restrictions.
CISA Review Manual 2Oi4
ISACA. All Rights Resen ed.
(hsxmm* Chapter |-The Process of Auditing lnformation Systerns Section Two: Content
\-,/ *;;-

- 1004.3 The IS audit and assurance professional shall have
reasonable expectation that management understands its
obligations and responsibilities with respect to the provision
of appropriate, relevant and timely information required to
perform the engagement.
. 1005 Due Professional Care:
- 1005.1 The IS audit and assurance professional shall exercise
due professional care, including observance of applicable
professional audit standards, in planning, performing and
reporting on the results of engagements.
. 1006 Proficiency:
- 1006.1 The IS audit and assurance professional, collectively
with others assisting with the assignment, shall possess
adequate skills and proficiency in conducting IS audit and
. assurance engagements and be professionally competent to
perform the work required.
- 1006.2 The IS audit and assurance professitnal, collectively
with others assisting with the assignment, shall possess
adequate knowledge of the subject matter.
* 1006.3 The IS audit and assurance professional shall
maintain professional competence through appropriate
continuing professional education and training.
. I007 Assertions:
* which they have reasonable expectation of either acquiring
1007.1 The IS audit and assurance professional shall
review the assertions against which the subject matter will
be assessed to determine that such assertions are capable of
being audited and that the assertions are sufficient, valid
and relevant.
. objectives. The audit findings and conclusions shall be
1008 Criteria:
- 100&l The IS audit and assurance professional shall
select criteria, against which the subject matter will be
assessed, that are objective, complete, rele.zant, measureable,
understandable, rvidely recognised, authoritative and
undeistood by, or available to, all readers and users ofthe IS
audit or assurance report,
- 1008.2 The IS audit and assurance professional shall
consider the source ofthe criteria and focus on those issued
by relevant authoritative bodies before accepting lesser-
known criteria.
Performance
. 1201 Engagement Planning:
- I 20 I . I
The IS audit and assurance professional shall plan
each IS audit and assurance engagement to address:
. Objective(s), scope, timeline and deliverables
. Compliance with applicable laws and professional
auditing standards
. Use ofa risk-based approach, where appropriate
. Engagement-specifi c issues
- Documentation and reporting requirements
- 1201.2 The IS audit and assurance professional
shall develop and document an IS audit or assurance
engagement project plan, describing the:
. Engagement nature, objectives, timeline and resource
requirements
. Timing and extent of audit procedures to complete
. 1202 Risk Assessment in planning:
* 12W.1 The IS audit and assurance firnction shall use
an appropriate risk assxsrnent approach andsupporting
methodology to develop the overall IS audit plan and determine
priorities for the effective allocation ofIS audit resources.
- 1202.2 The IS audit and assurance professional shall
identify andassess risk relevant to the area under review,
when planning individual engagements.
- 12023 The IS dudit and assurance professional shall
consider subject matter risk, audit risk and related exposure
to the enterprise.
. 1203 Performance and Supervision:
- l2A3.l The IS audit and assurance professional shall
conduct the work in accordance with the approved IS audit
plan to cover identified risk and within the
agreed-on schedule.
- 1203.2 The IS audit and assurance professional shall
provide supervision to IS audit staffwhom they have
supervisory responsibility, to accomplish audit objectives
and meet applicable professional audit standards.
- I 203 . 3 The IS audit and assurance professional shall accept
only tasks that are within their knowledge and skills or for
the skills during the engagement or achieving the task
under supervision.
- 1203.4 The IS audit and assurance professional shall obtain
sufficient and appropriate evidence to achieve the audit
supported by appropriate analysis and interpretation ofthis
evidence.
- 1203.5 The IS audit and assur€ince professional shall
document the audit Brocess, describing the ar:dit work and
the audit evidence that supports findings and conclusions.
- 1203.6 The IS audit and assurance professional shall
identiff and conclude on findings.
. 1204 Materiality:
- l2V.l The IS audit and assurance professional shall
consider potential weaknesses or absences of controls while
planning an engagement, and whether such weaknesses or
absences of controls could result in a significant deficiency
or a material weakness.
- 12M2 The IS audit and assurance professional shall consider
materiality and its relationship to audit risk while determining the
nature, timing and extent of audit procedures.
- 12M.3 The IS audit and assurance professional shall
consider the cumulative effect of minor control deficiencies
or weaknesses and whether the absence of controls translates
into a significant deficiency or a material weakness.
- 1204.4 The IS audit and assurance professional shall
disclose the following in the reiion:
. Absence of controls or ineffective
controls
- Sigaificance of the control deficiency
. Probability of these weaknesses
resulting in a siglificant
deficiency or matbrial weakness

CISA Review Manual 2OI4

ISA,CA. All Rights Besorved.
Section Tiarc: Content Chapter |-The Process of Auditing
. 1205 Evidence:
- I205.1 The IS audit and assurance professional shall obtain
sufficient and appropriate evidence to draw reasonable
conclusions on which to base the engagement results.
- 1205.2 The IS audit and assurance professional shall
evaluate the sufficiency ofevidence obtained to support
conclusions and achieve engagement objectives.
. 1206 Using the Work of Other Experts:
* 1206.1 The IS audit and at$rance professional shall
consider using the work of other experts for the engagement,
where appropriate.
- 1206.2 The IS audit and assurance professional shall assess
and approve the adequacy ofthe other experts' professional
qualifi cations, competencies, relevant experience, resources,
independence and quality control processes prior to the
engagement.
* 1206.3 The IS audit and assurance professional shall assess,
review and evaluate the work ofother experts as part ofthe
engagement, and document the conclusion on the extent of
use and reliance on their work.
- 1206.4 The IS audit and assurance professional shall
determine whether the work of other experts, who are not
part of the engagement team, is adequate and complete to
conclude on the current engagement objectives, and clearly
document the conclusion.
- I 206.5 The IS audit and assurance professional shall
determine whether the work of other experts will be relied
on and incorporated directJy or referred to separately in the
report-
-
1206.6 The IS audit and assurance pnofessional shall apply
additional test procedures to gain sufficient and appropriate
evidence in circumstances where the work of other experts
does not provide sufficient and appropriate evidence.
- 1206.7 The IS audit and assurance professional shall
provide an appropriate audit opinion or conclusion and
include any scope limitation where required eviclence is not
obtained through additional test procedures.
. 1207 Irregularity and Illegal Acts:
- 1207.1 The IS audit and assurance professional shall
consider the risk ofirregularities antl illegal acts during
the engagement.
- 1207.2 The IS audit and assurance professional shall
maintain an attitude of professional scepticism during
the engagement.
- 1207.3 The IS audit and assurance professional shall
document and communicate any material irregularities or
illegal act to the appropri4e party in a timely manner.
Reporting
.1401 Reporting:
- 140t.1 The IS audit and assurance professional ihall
provide a report to communicate the results upon completion
of the engagement, including:
. Identification ofthe enterprise, the intended recipients
and
any restrictions on content and circulation
'The scope, engagement objectives, period ofcoverage and
the nature, timing and extent of the work performed
34
Informatio, Systerrrs ffisffi*H",',il},*
\;/;;;k-
. The findings, conclusions, and recommendations
. Any qualifications or limitations in
scope that the
IS audit and assurance professional has with respect to
the engagement
' Signature, date and distribution dccording to the terms of
the audit charter or engagement letter
- 1401.2 The IS audit and assurance professional shall ensure
that findings in the audit report are supported by sufficient
and appropriate evidence.
. 1402 Follow-up Activitiesi
- 1402.1 The IS audit and assurance professional shall monitor
relevant information to conclude whether management has
planned/taken appropriate, timely action to address reported
audit findings and recommendations
1.3.3 ISACA IS AUDITAND ASSURANCE GUIDELTNES
The objective of the ISACA IS Audit and Assurance Guideiiaes is
to provide further information on how to comply with the ISACA
IS Audit and Assurance Standards. The IS auditor should:
. Consider them in determining how to implement the above
standards.
. Use professional judgment in applying therh to
specific audits.
. Be able to justifu any difference
Notl: Th9 CISA candidate is nor expectgd
Io knqtithe'specific
nllrlber of an IS audit and assurance guideline. The,qSa exam
tests how guidelines,are applied within the audit pr6cess,',T'lie,,
IS auditqr shouldreview the IS Audit ana essuraniri Gtridelinesl
,
thoroughly io.identifr the subjeit matter *,ut it
f-ufy A"Eda.'--
rn the job. Tlie IS-Audtu and Alslg1c.e Guide.lio"s'aia, tiviog
documents- The most current docurnerits may be viewed,at, I , ,
www. is a c a. org/s tandards.
lndex of lS Audit and Assurance Guidelines
. Gl Using theWork of OtherAuditors, effective I March 200g
- This guideline sets our how the IS auditor should consider
using the work of other experts in the audit when there are
constraints that could irnpair the audit work to be performed
or potential gains in the quality ofthe audit.
-Very often, certain expertise or knowledge is required by the
technical nature ofthe tasks to be performed, scarce audit
resources and limited knowledge of specific areas of audit. An
'expert'could be an IS auditor fiom the external accounting
firm, a management consultant, an IT expert or expert in the
area of the audit who has been appointed by top management
orty the IS audit team.
. G2 Audit Evidence Requirement, effective I May 200g
- Guidelines to the IS auditor about how to obtain sufficient and
appropriate audit evidence and draw reasonable conclusions
on which to base the audit rcsults.
-This guideline provides guidance in applying IS auditing
standards. The IS auditor should consider it in determining
how to achieve implement4tion of the above standard, use
professional judgment in its application and be prepared to
justifiT any departure.
CISA Review Manual 2Ot4
ISACA. Alt Rights Beserved.
1-

Chapter |-The process of Auditing lnformation

@#$ffi* Systerns I sbction Tvvo: Content

. Gj U1e of Computer-AssistedAuditTechniques (CAATs),

- This guideline provides guidance in applying
effective I March
200g IS auditing
-As entities increase the use of information systems to record ltandar.ls on audit materialiry. fne lS auaitoi should coisider
transact and process data, the need for the
it in determining how to u"ti"r" implementation
IS auditor to utilize of the above
standard, use professiona[judgmeniin
IS tools to adequately assess risk becomes its application and be
an integral part of prepared tojustify any deparhue
audit coverage. The use of computer-assisted _
audii t..iriqu", . G7 Due Professionat Care, effective I March
(CAATs) seryes as an important tool for the 200g
IS auditor to
evaluate the conkol environment in an efficient - The purpose of this guideline is to clariS, the term .due
and effective professional care,as it applies to the pej'ormance
manner. The use of CAAIs can lead to increased of an audit
audit in compliance with standird 33 of the IT audit
coverage, more thorough and consistent and assurance
analysis ofdata, and standards.
reduction in risk.
CAAIs include many types of tools and techniques, -Members and ISACA certif,rcation holders are expected to comply
- such with the ISACA Code ofprofessional Ethics; failure
as generalized audit software, customized may result^in
queries or scripts, an investigation into the member/certification
utility software, software tracing and mapping, and holder's conduct and
audit ulnmately in disciptinary action, if necessary.
expert systems.
. G^4 Outsourcing of ISActivities to Other Organizations, - The guideline providds guidance in applying IT audit and
assurance standards and complylrg with the ISACA Code
effective I May 200g
of Professional Eltrics on p".io.d.,i,"" jr,i", with due
- An organization (the service user) may partially or fully diligence and professionui .u.e. Tn" fS "f
delegate some or all of its IS activities to auOiioi should
an external provider consider it in determining how to achieve
ofsuch seryices (the service provider). The provider implementation
could of the above standards, use professional judgment
either be onsite using the service usei,s in its
systems or offsite
usingits own systems. IS activities that could be and be prepared to justifo any dJpartrire.
outsourced ^lppli:Ign
. G8 Audit Documentation, effeciive i March'2OOg
include IS fi_rnctions such as data centre operations,
security, - The purpose of this guideline is to describe the documentation
and application system development and maintenance.
that the IS auditor should prepare and retain
- The responsibility for confirming compliance with contracts, to support the audit.
agreements and regulations remains with the - This guideline provides guidance in applying IT audit and
service user. assurance standards. The [S auditor should
- The rights to audit are often unclear. The responsibility for consider it in
determining how to achieve implementation of
auditrng compliance is also often not clear. the above
The purpose of this standards, use professional judgment in
guideline is to set out how the IS auditor its application and be
shouldiomply with prepared tojustify any deparhrre.
standards Sl, 55 and 56 in this situation. . G9 Audit Considerations forlrregularities and Illegal
- This guideline provides guidance in applying IT audit and effective I September 200g
Acts,
assurance standards. The IS auditor should
consider it in
detelmining how to achieve i*pt.m"rt tion - The. purpose ofthis guideline is to provide guidance to IS
of tn. uUor. auditors to deal with iiregular or illegal acti-vities
standards, use professional judgment in its they may
application and be come across during the performance of audit
prepared to justifu any deparfure assignments.
. G1 Audit Charter, effectiye
I February 200g - Standard 39 lrregularities and Illegal Acts elaborates on
requirements and considerations by IS auditors
- The purpose of this guideline is to assist the IS auditor to for irregularities
and.illeeal ac8. This guideline prgvides guidance
prepare an audit charter to define the responsibility,
authority audit and assurance standards. Tlie IS auOitor
* upptyirg If
and accountability of the IS audit function. should consider it
This guideline is in determining how to achieve implementation
aimed primarily at the intemal IS audit fi.mction; of the previously
however, identified standards, use professional judgment in
aspects could be considered for other circumstances. irs ipplication
be prepared tojustify
any departure.
-
- Thisguideline provides guidance in applying IS auditing ^and
. G10 Audit Sampting, effective I August 200g
standards. The IS auditor should consid"i
it in O"t .rnining The purpose of this guideline is to provide guidance
how to achieve implementation of the above standard, - to the
use lS auditor to design and select an audit,urnpt" and
professional judgment in its application evaluate
and be prepared to sample resulis. Appropriate sarnpling and evaluation
justify any deparhue. will meet
. G6 Materiality Concepts the requirements of .sufficient, ieliable, relevant
forAuditing Information Systems, and useful
evidence' and'supported by appropriate analysis,.
effecfive I May 2008
- Unlike financial auditors, IS auditors require a different -This guideline provides guidance in applying IT audit and
assurance standards. The IS auditor shou'ld
yardstick to measure materiality. Financial consider it in
auditors ordinariiy determining how to achieve implementation
measure materiality in monetary terms, since of standard 56,
what thev use professional judgment in its application
audit is also measured and reported in monetary and be p."p*"d to
terms. tS justifu any departure.
auditors ordinarily perform audits of non_finan"iul
it"-r, . Gll Effect of Pervasive [S Controls, effective I August
e.g., physical access controls, logical access 200g
confrols, program
change contols, and systems forpersonnel rhanagemen! -To form an opinion on the effectiveness of the
detailed
controls being audited, the IS auditor should
manufactruing contol, desigrr, quality control, paisword consider the need
to assess the effectiveness of management and
gp.Tlon, credit card production and patient care. Therefore, monitoring
of information systems, even wheri such matters
IS auditors may need guidance on hovrmateriality are outside
should be the agreed-upon scope for the arilit. The outcome
assessed to plan their audits effectively, how to of zuch
focus their effort considerations may range from an extension
on high-risk areas and how to assess tiie severity of the agreed
ofany errors or scope to an appropriately qualified report.
weaknesses found.

CISA Beview Manual 2Ol4

ISACA. All Rights Reserved. 35
Section Two: Content Chapter l-The Process of .Auditing lnformation Systerns
-The total population of management and monitoring controls
is broad, and some of these contols may not be relevant
to the specific audit objective. To assess the audit risk and
determine the appropriate audit approach, the IS auditor needs
a structured method of determining:
. Those management and monitoring
controls that are relevant
to the audit scope and objettives
.Those marngement and monitoring.orit ol"tt ut rho,rldbe tested
- The effect of the relevant managemeii[and monitoring
controls on the audit opinion
' G12 Organizational Relationship and Independence,
effective I August 2008
-The purpose of this guideline is to expand on the meaning of
'independence'as used in standard 52 and to address the IS
auditor's attitude and independence in'IS auditing.
-This guideline provides guidance in applyrng IS audit and
assurance standards. The IS auditor should consider it in
determining how to achieve implementation of the above
standards, use professional judgment in its application and be
prepared tojustifu any departure.
. Gl3 Use of RiskAssessment inAudit Flanning, effective
I August 2008
-The level of audit work required to meet a specific audit
objective is a subjective decision made'by the IS auditor. The
risk ofreaching an incorrect conclusion based on the audit
findings (audit risk) is one aspect ofthis decision. The other
is the risk oferrors occurring in the area being audited (error
risk). Recommended practices for risk assessment in carrying
out financial audits are well documenied in auditing standard;
for financial auditors, but guidance is Sequired on how to
apply such techniques to IS audits. :
-This guideline provides guidance in applying IS audit and
assurance standards. The IS auditor should consider it in
determining how to achieve implementation of standards 35
and 56, use professional judgment in its application, and be
prepared tojustiFT any departure. ''
. Gl4Application Systems Review, withdrawn 14 January
2013 See Generic Application Audit/Assurance Program
. Gl5 Audit Planning, effectiye I May
?010
-The purpose of this guideline is to define the components of
the planning process as stated in stan(ard 35 of the IS Audit
and Assurance Standards.
- This guideline also provides for planning in the audit process
to meet the objectives set by COBIT,_ .
. G16 Effect of Third Parties on Organization's IS Controls,
withdrawn 14 January 2013 See Outsourced IT Environments
Audit/Assurance Program
. G17 Effect of Nonaudit RoIe on the IS Audit and Assurance
Professional's Independence, effective I May 2010
*The purpose of this guideline is to pro:ride a framework to
enable the IS auditor to:
. Establish when the required independence
may be, or may
appear to be, impaired
. Considerpotential alternative approaches to the audit
process when the required independence is, or may appear to
. Determine the disclosure requirements
. G18 IT Governance, withdrawn 14 January 2013
36
@
Certifie{, lnformatio[
Systems.Adtor
. G19 Irregularities and IllegalActs,Withdrawn, L september 2fi)8
. G20 Reporting effective 16 September 2010
- This guideline sets out how the IS auditor should comply with
ISACA IS audit.andassurance standards and COBIT when
reporting on an organization's information system controls
and related control objectives.
. G21 Enterprise Resource Planning
@RP) Systems Review,
withdrawn 14 January 2013 See Security, Audit and Conkol
Features SAP ERP, 3rd Edition, Audit programs and ICes.
. G22 Business-to-consumer
@2C) E-commerce Review,
withdrawn 14 January 2013 See E-commerce and pKI
Audit/Assurance Program
. G23 System Development Life Cycle (SDLC) Reviewn
withdrawn 14 January 2013 See Systems Development and
Project Management Audit/Assurance program
. G24 Internet Banking, withdrawn 14 January 2013
. G25 Review ofVirtual Priyate Networks, withdrawn 14
January 2013 VPN Security AuditiAssurance program
See
. G26 Business Process Reengineering (BpR) project Reviews,
withdrawn 14,fanuary 2013
. G27 Mobile Computing, withdrawn 14 January 2013
See Mobile Computing Security AudiVAssurance program
. G28 Computer Forensics, withdrawn 14 January 2013
. G29 Postimplementation Review, withdrawn 14 January 2013
See Systems Development and Project Management
AudiUAssurance Program
. G30 Competence, effective I June 2005
- This guideline provides guidance in applying IS Auditing
Standard 34 Professional Competence. The IS auditor
should consider this guideline in determining how to achieve
implementation of the above standards, use professional
judgment in its application and be prepared to justiff any
deparhre.
. G3l Privacy, withdrawn 14 January 2013 See personally
Identifiable lnformation (PII) Audit/Assurance program
. G32 Business Continuity Plan Review From IT perspective,
withdrawn 14 January 2013 See Business Continuity
Management Audit/Assurance Program
. G33 General Considerations on the Use of the Interne!
withdrawn 14 January 2013 See E-commerce and pKI
Audit/Assurance Program
. G34 Responsibility, Authority an d Accountability, effective
I March 2fi)6
- This guideline provides guidance in applying IS Audit and
Assurance Standard S I Audit Charter and 33 professional
Ethics and Standards. The IS auditor should consider this
guideline in determining how to achieve implementation
ofthe above standards, use professional judgmdnt in its
application and be prepared tojustify any departure.
. G35 f,'ollow-up Activities, effective 1 March 2006
-The purpose of this guideline is to provide direction to IS
auditors engaged in following up on recommendations and audit
cornments made in reports. This guideline provides guidance
in applying IS Audit andAssurance Standard S8 Follow-up
Activities.
. G36 Biometric Controls, withdrawn 14 January 2013
See Biometrics Audit/Assurance Program
. G37 Configuration Management, withdrawn 14 January 2013
CISA Review Manual 2Ol4
ISACA. All Righis Reserved-
/A
\-/ffi-
$$[Hlrff*r.. Chapter l-The Process of Auditing lnformation $ystems
'G38 Access Control, rvithdrawn 14 January 2013 See Identity
Management AudiVAssurance Program
'G39 IT Organizations, withdrawn 14 January 2013
' G40 Review of Security Management Practices, withdrarvn
14 January 2013 See Security lncident Management
AudiVAssurance Program
. G41 Return on Security Investment (ROSI), withdrawn
14 January 2013
' G42 ContinuousAssurance, effective 1 May 2010
- While the concept of continuous assurance is not limited to
IS audit, IS audit and assurance professionals are often called
on to develop, implement and maintain continuous assurance
processes and systems. IS audit and assurance professionals
can add value by leveraging their unique combination of
business and technical skills and experience necessary to
successfully implement continuous assurance processes
and systems and engage the broad range ofbusiness and IT
stakeholders involved. This guidance is intended for IS audit
and assurance professionals planning, implementing and
maintaining continuous assurance processes and systems.
1.3.4 ISACA IS AUDIT AND ASSURANCE TOOLS AND
TECHNIQUES
Tools and techniques developed by ISACA provide examples of
possible processes an IS auditor may follow in an audit engagement.
In determining the appropriateness of any specific tool and
technique, IS auditors should apply thek own professional judgment
to the specific circumstances. The tools and techniques documents
provide information on how to meet the standards when performing
IS auditing work, but do not set requirements.
Tools and techniques are currently categorized into:
. Reference series (books)
. AudiVAssurance progzuns
. White papers
. Journal zo.ticles
It is not mandatory for the IS auditor to follo'i, these tools and
techniques; however, following these procedures will provide
assurance that the standards are being followed by the auditor.
CISA Review Manual 2O14
ISACA. All Rights Reserved.
Section Two: Content
1.3.5 REI.ATIONSHIP AMONG STANDARDS,
GUIDELINES, AND TOOLS AND TEGHNTQUES
Standards defined by ISACA are to be followed by the IS auditor.
Guidelines provide assistance on how the auditor can implernent
standards in various audit assignments. Tools and techniques are
not intended to provide exhaustive guidance to the auditor when
perfonning an audit. Tools and techniques provide examples of steps
the auditor may follow in specific audit assignments to implement
the standards; howeveg the IS auditor should use professional
judgment when using guidelines and tools and techniques.
There may be situations in which the legaVregulatory
requirements are more skingent than the requirements contained
in ISACA Standards. In such cases, the IS auditor should ensure
compliance with the more stringent iegaUregulatory requirements.
For example, section 3.1.2 of Guideline 12 supporting Standard
I 002- Organisational lndependence-Organizational
Relationship and Indeperrdence states: "The IS auditors'
independence would not necessarily be impaired as a result of
performirig an audit of IS where their personal transactions occur
in the normal course of business." However, in some countries,
regulatory enactments strictly prohibit auditors from accepting
audit assignments fiom banks from which they have availed credit
facilities. [n such cases, iS auditors should give precedence to the
applicable regulatory requirement and not accept the assignment,
even though accepting the assignment would be in compliance
with the requirement of the Guideline 12.
T.3.6 INFORMATION TEC}INOLOGY ASSURANCE
FRAMEWoRT$ (ITAFM)
ITAI is a comprehensive and good-practice-setting model that:
. Provides guidance on ttre design, conduct and reporting ofIS
audit and assurance assignments
. Detlnes terms and concepts specilic to IS assurance
. Establishes standards that address IS audit and assurance
professionai roles and responsibilities, knowledge and skills,
and diligence, conduct and reporting requirements
ITAF is focused on ISACA material as well as content and
guidance developed by the IT Governance tnstituteo (ITGIT) and
other organizations, and, as such, provides a single source through
which IS audit and assumnce professionals can seek guidance,
research policies and procedues, establish audit and assurance
progmms, and develop effective reports- IIAF includes three
categories of standards-general, performance and reporting-as
well as guidelines and tocls and techniques:
. Geleral Standards-:The guidir,g principles under which the
IS a"ssurance professior, operates. They apply to the conduct
37
$ection Two: Content Chapter 7-The Process of Auditing lnformation Systems
Gsffx*f*#*"
\-/;;;ffi-

of all assignments, and deal with the IS audit and assurance

professional's ethics, independence, objectivity and due
care as
well as knowledge, competenpy and skill.
. Perl'ormance Standards-Deal with
the conduct of the
assignment, such as planning and supenrision, scoping, risk and
materiality, resource mobilization, supervision arra assignment
management, audit and assurance evidence, and the exercising
of professional judgment and due care.
. Reporting Standards-Address the
types of reports, means of
communication and the information communicated
. Guidelines-Provide the IS audit
and assurance professional
with information and direction about an audit or assurance
area. In line with the three categories ofstandards outlined
above, guidelines focus on the various audit approaches,
methodologies, tools and techniques, and related material to
assist in planning, executing, assessing, testing and reporting
on
IT processes, controls and related audit or assurance initiatives.
Guidelines also help clarify the relationship between enterprise
activities and initiatives, and those undertaken by IT.
. Tools and Techniques-provide specilic
information on
various methodologies, tools and templates-and provide
direction in their application arrd use to operationalize the
information provided in the gpidance. Note that the tools and
techniquesare directly linked'to specific guidelines. They take
a variety offorms, such as discussion dopuments, technical
direc_tion, white papers, audit programs or
books_e.g., the
ISACA publication on SAp, which supports the guideline on
enterprise resource planning (ERp) systems.
This organization is illustrated in exhibit 1.3.
Section IOOO-Gene ral Standards
General standards are the guiding principles under which the
IS assurance profession operates. They apply to the conduct
of all assignments and deal with the IS audit and assurance
professional's ethics, independence, objectiviry and due care,
as
well as knowledge, competency and skill.
General standards include:
. Independence and
Objectivity--The IS audit and assurance
professional should maintain an independent and objective
state
of mind in all matters related to the conduct of the IS assurance
assignment. The IS audit and assurance professional
must conduct
the IS asstrance assignment with an impartiat and
r.mbiased frame
gf.mind in addressing assunnce iszues and reaching conclusions.
It is important ttnt the IS audit and assurance professional
not only
be independent, but also appear to be independent at all times-
. Reasonable Expectation-The
IS audit and assurance
professional should have a reasonable expectation that the IS
assurance assignment can be completed in accordance
with
these IS assurance standards or other appropriate professional,
regulatory or industry standards, and result in a professional
opinion. The scope ofthe audit or assurance engagement should
be sufficient to permit a conclusion to be drawn on the
subject
nraher and the ability to address any restrictions.
. Managernent,s Acknowledgement_The
IS audit and
assurance professional should be satisfied that managemellt
understands his/her obligations and responsibilities with respecr
to the provision of appropriate, relevant and timely information
that may be required in the performance of the assignment
and
hislher responsibility to ensure the cooperation ofpirsonnel
during the audit or assurance activity.
. Training and Profiiciency-The
IS audit and assurance
professional and others assisting with the assignment should
collectively possess adequate skills and proficiency in
conducting IS audit and assurancc assignments to enable the
professionals to perform the work required-
. Knowledge of the Subject Matter-The
IS audit and
assurance professional and others engaged in performing
the
IS assurance assignment should collectively possess adequate
knowledge of the subiect matter.
. Due Professional Care.-The
IS audit and assurance
professional should exercise due care in planning, performing
and reporting on the results of the IS assurance aisignment. -

General Standards Performance Standards Reporting Standards

rot il Assurence,usA,200g, fiqure 1

38
CISA Review Manuat ZOl4
ISACA- All Rights Beserved.
I
(4ffi*Lr"mr- Chapter l-The process of Auditing lnformation
v*-k-
. Suitable Criteria-IS audit subject matter should be evaluated
against suitable and appropriate criteria. The characteristics of
suitable criteria include:
. Objectivity-{riteria should be free from bias that may
adversely impact the IS audit and assurance professional's
findings and conclusions, and, accordingly, may mislead the
user ofthe IS assurance report.
. Measurability-Criteria should permit
consistent measurement
of the subject matter and the development of consistent
conclusions when applied by different IS audit and assurance
professionals in si mi lar circumstances.
. Und ersta ndabil ity-Criteria should be communicated
clearly
and not be subject to significantly different interpretations by
intended users.
. Completeness-Criteria should be sufficiently
complete so
that all criteria that could affect the IS audit and assurance
professional's conclusions about the subject matter are
identified and used in the conduct ofthe IS assurance
assignment.
. Relevance-Criteria should be relevant to
the subject mafter
and conkibute to findings and conclusions that meet the
objectives ol'the tS assurance assignment
Current ISACA IS audit and assurance standards include the
following general standards:
. l00l Audit Charrer
. 1002 Organisational Independence
. 1003 Professional Independence
. 1004 Reasonable Expectation
. 1005 Due Professional Care
. 1006Proficiency
. 1007 Assertions
. 1008 Criteria
Section 72Oo-Performance Standards
Performance standards establish baseline expectations in the
conduct of IS assurance engagements. While these standards
apply to assurance professionals performing any assurance
assignment, compliance is particularly important when the IS
audit and assurance professional is acting in an audit capacity.
Accordingly, the performance standards focus on the IS audit and
assurance professional's attention to the design ofthe assurance
work, the conduct ofthe assurance, the evidence required, and the
development ofassurance and audit findings and conclusions.
Performance standards include:
'Planning and Supervision-IS
assurance work should be
adequately planned and the IS audit and assurance professional
should ensure that other persons performing the IS assurance
assignment are properly supervised. planning of the IS
assignment should address the:
- Objective ofthe IS audit or assurance assignment
- Criteria to be used in conducting the IS assurance assignment
- Level ofassurance required. This includes *hether thJ
engagement is to be conducted at the examination or review
level, or as an advisory or consulting assignmen! what type
of findings and conclusions will be required; and what format
reporting will take.
Nature of the subject matter and the likely items within the
-
assertion
CISA Review Manual 2Ol4
ISACA. At! Rights Reserved.
Systems Section Two: Content
- Possible sources of information lnd evidence, lnsluding
the
tools, techniques and skills requted to obtain the evidence.
Considerations may inblude the use of computer_assisted audit
t.ecl{rilles (CAATs), audit software and unique analyses.
Availability of appropriate and skilled IS audit and uirrr-n""
-
resources
-Availabiliry and access to records and other information
Preliminary conclusions on assignment and audit risks, ard
-
the means by which these risks will be mitigated
* R-elource and expertise requirements-as well as their source,
critical skills required and the timing of their participation in
the IS assurance activity
- Nahrre, extent and timing of the various IS assurance tasks
and if an audit is being performed audit tests
- Conditions that may require extension of modification of
assurtmce work and audit tests
- Anticipation of time requirements and the establishment of
time and cost budgets
- Nature of the expected report
;
Planning and supervision'work should be documented and form
part of the IS assurance work paperq. This documentation should
clearly indicate the nature, extent aqrd timing of IS assruance work
performed; the information and documents obtained; and the
conclusions reached regarding the subject matter.
. Obtainirig Sufficient Evidence-When
an audit is being
performed, the IS audit and assurance professional should
obtain sufficient evidence to provide a reasonable basis for the
conclusions drawn and expressed in the IS audit report:
- IS audit procedures should be applied to obtain and
accumulate sufficient and appropriate audit evidence to
provide a reasonable basis for conclusions to be drawn and
expressed in the IS auditor's report- Sufficiency addresses
the concept ofquantity ofevidence, and appropriateness
addresses the quality of evidence in support of measuring
achievement of the audit objective. tn determining the
sufficiency and appropriateness ofIS audit evidence, the IS
audit and assurance professional should consider the level of
assurance being provided and the assessment ofrisk.
- Evidence is normally obtained through inspection,
observation, enquiry;confirrnation, re-perfonnance analysis
and discussion. The IS audit and assurance professional may
seek corroborating evidence froln different sources when
forming a conclusion on the results of an IS audit procedure.
- The IS audit and assurance professional should ensure that
the source ofevidence is considered. when assessing its
ap_propriateness in supporting the audit procedure.
- The IS audit and assurance professiond[should document the
test perf,ormed and the results obtained in sufiicient
detail to
support the conclusions reached.
. Assignment Performance--The
IS assurance assignment
must be scheduled with regard to the timing, availability, and
other commitments and requirements of management and the
auditee as well as with,regard to the timing re{uirements
of
report users. In scheduling audit personn"l, must be taken
"*
to ensure that the corre6t personnel are available and
that issues
ofcontinuiry, skills and experience are addressed:
- Professional staffmuit be assigned to tasks that are within
their knowledge and skills.
39
 Section Two: Content Chapter l-The Process of Auditing lnformation Sysfems
lAsffirilr*P-
\-/**;-

-The work must be conducted with due care and appropriate Reporting standards address (l) types ofreports, (2) the means
consideration for management and auditee issues and of
commrmication, and (3) information to be communicated.
concen$, including timing and timeliness.
- IS audit perfornance must address the objectives and At minimum, the IS audit and assuran"e professional,s report
mandate of the audit. and/or associated,attachments should:
. Representations--The IS audit and . Identify to whom the report is directed
asiurance professional
will receive representations during the course ofconducting . Identify the nahue and objectives
of the IS assufince assignment
the IS audit-some written and others oral. As part of the . Identify the entity or portion- thereof covered
by the IS
audit process, these representations should be documented asswance report
and retained in the work-paper file. In addition, for attestation . Identift the zubject matter or assertions
on which the IS audit
engagements, representations from the auditee should be and assurance professional is reporting
obtained in writing to reduce possible misunderstandings. .
Matters that may appear in a representation letter include: frwide a description of the nahue of the scope of the work,.
including a brief statement on matters that ari not within the
-A statement by the auditee acknowledging responsibility for scope of the assignments as well as those that are, to remove any
the subject matter and, when applicable, the assertions doubt about the scope
- A statement by the auditee aclorowledging responsibility for . the time frame or period covered by the report
ttre criteria, and where applicable, the assertions . ltate the period during which the
ltate IS assurance was performed
-A statement by the auditee acknowledging responsibility for . Provide a reference to the applicable
professional standards
determining that the criteria are appropriate for the purposes goveming the IS asslrance assignment and against which the IS
* A list of specific assertions about the subject *utt.i bui.d
on assurance work was conducted
the criteria selected . Identifu management assertions, if any
-A statement that all known matters corihadicting the assertions . Describe the responsibilities of management
and the IS audit
have been disclosed to the IS audit and assuftulce professional and assurance professional
-A statement that all communications llom regulators affecting . Identifo the criteria against which the subject
matter was evaluated
the subject matter or the assertions have been disclosed to the . State a conclusion-on the level ofassurance
being provided
IS audit and assurance professional (Depending on the type of assignment, this c6uld range from an
- A statement that the IS audit and assurance professional has audit report to a review report where no assuftrnce is protided.)
been provided access to all relevant information and records, . State any reservations that the IS audit and
assurance
files, etc., pertaining to the subject matter professional may have (These may include scope, timing, and
-A statement on any significant event$that have occurred inability to obtain sufficient information or conduct appropriate
subsequent to the date ofthe audit report and prior to release tests, and are particularly important in audit assignments.)-
ofthat report . State any restrictions on the diskibution or use
ofthe report
- Other matters that the IS audit and assirance professional may . State the date ofthe report
deem relevant or appropriate . State where the report was issued
. who issued the report (name or organization of the IS auditor)
Frequently, a sunmary of all representations made during the . lta!
Include the IS audit and assurance professional,s signahue on
assignment is prepared and sigtred prior to finalization of the the written report
audit or assurance work.
In addition, depending on the nature ofthe IS audit or assurance
While the same degree of rigor is not essential in non-audit assignment, other information should be provided such as
assurance engagements, the assurance professional should obtain specific govemment directives, corporate policies or other
representations from management on key issues. information gerrnane to the reader's understanding of the IS
assurance assignment.
Current ISACA IS audit and assurance standards include the
following performance standards : Current ISACA IS audit and assruance standards include the
. l20l Engagement Planning
following reporting standards:
. 1202 RiskAssessment in Plaruring . 1401 Reporting
. 1203 Performance and Superrrision . 1402 Follow-up Activities
. 1204 Materiality
. 1205 Evidence
Sectlon 3OOG--rS Assurance Guidelines
. 1206 Using the Work of Other Experts Section 3000 addresses guidelines in the following areas:
. 1207 kregularity and Illegal Acts Section Guideline Area
3200 Enterprise Topics
Section 74O}-Repottt ng,standards 3400 IS Management Processes
The report produced by the IS audit and assurance professi6nal will 3600 IS Audit andAssurance processes
vary, depending on the type of assignment performed. Corsiderations 3800 IS Audit and Aszurance Management
include the level ofassurance,'mhether the assurance professional
was acting in an auditcapacity, whetherthe assurance professional
isproviding a direct report on the zubject matter or is reporting on
assertioru regarding the subject matter, and whether *nt report is
based on work performed at the review level or the examirntion level.

4()
CISA Review Manual 2Ol4
|SACA. All Rights Reaerved.
t-
l-The process of Auditing lnformation
@
CEtilied lnfomatim
Chapter
System tudltor'
Each section within the guidelines focuses on one of the
following:
. IT issues and processes that the IS
audit and assurance
professional should understand and consider when determining
the planning, scoping, execution and reporting of IS audit or
assurance activities
. IS audit and assurance processes, procedures,
methodologies
and approaches that the IS audit and assurance professional
should consider when conducting IS assurance activities
The guidelines are supported by references to additional
ISACA resources.
Section 32OO-Enter p rise liopics
Section 3200 addresses enterprise-wide issues that may impact the
IS^ audit and assurance professional in the ptanning andperiormance
of the IS audit and assuance mission. The guidelines pr*ia"
the IS audit and assurance professional witi an undentanding of
enterprise-wide issues zuch as executive actions, extemal *d
decisions that impact the IT departrnent and, hence, the IS"u*t"
audit aod
assurance planning, desigrring, executing and reporting processes.
This understanding may be provided by executive and senior user
managemeqt and can be obtained fiom within the IT deparknent.
In addition, relelant information may also be obtained from work
performed by non-IS audit and assurance professionals, either
as part of an integrated audit assignment or from the other audit
findings and reports.
By gaining an understanding of the environment in which the
IT limction operates-whether a separate IT department or a
technology fimction located within business units-the IS audit
and assugance professional should also gain an appreciation for the
b,siness andpolitical pressures the IT function must address. The IS
audit and assurance professional also gains an appreciation for the
perspectives from which the various stakeholders approach the
IS
s:rvlces and assess the performance ofIT service providers. Thus,
the IS audit and assurance professional can put into context the
various IT functions and initiatives.
In addition to the operational environment, the IS audit and
assurance professional should also consider the control
environment and the system of internal control.
Section 3200 addresses guidelines in the foilowing areas:
Section Guideline Area
3210 Implication of Enterprise-wide policies, practices and
Standards on the IT Function
3230 IrnplicationofEnterprise-wideAssurancelnitiatives
on the IT Function
3250 ImplicationofEnterprise-wideAssurancelnitiatives
on IS Assurance Plans and Activities
3270 Additional Enterprise-wide Issues andTheir Impact on
the IT Function
Section 34O0-rS Management processes
Seaion 3400 addresses IT management. Guidelines in this
section provide the IS audit and assurance professional with an
understanding of various IT management and fI operations topics
CISA Beview Manual 2Ot4
ISACA. All Raghts Resarved.
Systems $ection Two: Content
as a background to the planning and scoping ofIS assurance
activities. Guidance in this section may also provide the IS audit
and
assurance professional wi*r direction or information that will
be of
T*,:F"gio conducting an audil and information on IT topics that
the IS audit and assurance professional is likely to, or shouid expect
to, encounter during the conduct ofIS audit or assurance work.
IT management guidelines also provide the IS audit and
asswance professional with insight into the practices and
procedures ofIT departrnents. As suctr, the section focuses
on the planning, organization and strategizing ofactivities of
IT departments; acquisition of information and information
techlology; implementation; support and delivery of IT services;
and the monitoring and improvement of IT practices and
procedures to enhance securiry, conhol and shareholder value.
The section provides the IS audit and assurance professional with
information on co[lmon practices, issues and as well as
risks and pitfalls in each area, and approaches "o-r.".o,
and methodologies
management can use to enhance value. It also provides the IS
audit and assurance professional with guidanci on the tlpes of
controls that managemenr is likely to or should implement.
Section 3400 addresses guidelines in the following areas:
Section Guideline Area
3410 IT Governance (Mission,,Goals, Strategy, Corporate
Alignment, Reporting)
3412 Determining the Impact of Enterprise lnitiatives on
IS Assurance Activities
3415 Using the Work of Other Experts in Conducting
IS Assurance Activities
3420 IT Project Management
3425 IT lnformation Strategy
3427 lT lnformation Management
3430 IT Plans and Shategy @udgets, Funding, Metrics)
3450 IT Processes (Operations, Human Resources,
Development etc-)
3410 IT Risk Management
3490 IT Support of Regulatory Compliance
Section 3600-15 Audit and Assurance processes
Section 3600 focuses on audit approaches, methodologies and
techniques- It provides the IS audit and assurance professional
with information on common practices, issues, concerns and
pitfails when employing various audit and assurance procedures,
and guidance on how to plan and conduct the assurance activity
to ensure success. It also provides the IS audit and assurance
professional with specific guidance on testing controls.
The IS audit and assurance professional should recogrrize and
appreciate the role ofIT in the enterprise, and the relationships
that exist between IT departrnents and enterprise operations and
management.
performing audit and assurance work, it is suggested that
[he,n
ISACA members indicate that .The work was performed in
accordance with ISACA audit and assuftrtce,tunO*ar,.
41
 Section Two: Content |-The
Chapter Process of Auditing lnformation Systems (AffiLgflr*
\-/;#-
Section 3600 addresses guidelines in the following areas:
Sectlon Guideline Area 1.4 RISKANALYSIS
iqgl Relying on rheWork of Specialists and Others
3607 Integrating IS Audit and Assurance Work With Other
fusk analysis is part of audit planning, and helps identifu risks
and vulnerabilities so the IS auditor Can determine
AuditActivities the controls
3610 Using COBIT in the IS Assurance process
needed to mitigate those risks.

Auditing IT Generat Conrols (TGCs)

Iig
3650 AuditingApplicationContols
ln evaluating IT:related business processes applied by an
organization, understanding the relationshipGtrveen
3653 AuditingTraditionalApplicationControls risk and
3655 conEol is important for IS audit and connol professionals.
Auditing Enterprise Resource planning (ERp) IS
auditors must be able to identifu and differentiate risk types
Systems
and the confrols used to mitigate these risks. They must
1917 AudiringAlternative SoftwareDevelopment Skategies have
3660 knowledge of common business risks, related technology
AuditingSpecificRequirements risks
3661 AuditingGovernment-specifiedCriteria
and relevant controls. They must also be able to evaluate
the
3662 risk assessment and management techniques used by business
Auditinglndustry-specifiedCriteria
3670 AuditingWithComputgr-assistedAuditTechniques
managers, and to make assessments of risk to help iocus
and plan
audit work. In addition to au understanding ofbusiness
risk and
control, IS auditors must understand that risk exists within
IS Auditing and Reiiulatory Reporring the
M
3690 Selecting Items ofAssurance Irterest*
audit process.

Risk is the combination ofthe probability of an event

Seetlon 38OG-rS Audtt and Assurance Management
Section 3800 addresses IS audit and assurance managemenl
Guidance in this section provides the IS audit and assurance
professional with an urderstanding of information required
to
manage an IS audit assignment. The section commences
with
information about the creation and management of the IS audit
or assurlmce firnction and follows with discussion ofvarious
IS
audij an! assurance management topics. These topics include
auditand assurance planning and scoping, then refining the
initial
scoping, putting information into a detailed IS audit plan
and scope
document that incorporates the IS audit or assuranceobjectives.
Next this section addresses managing the execution of the IS
audit
and assurance professional's work. The section provi<les guidance
in documenting assurance worlg and documenting and clearing
findings and recommendations. The section arso iddresses effective
assurance reporting considerations.
Section 3800 addresses guidelines in the following areas:
Section Guideline Area
3 0 8I IS Audit or Assurance Function
3820 Planning and Scoping IS Audit and Assurance
Objectives
3830 Planning and Scoping IS Audit andAssurance Work
3835 Planning and Scoping RiskAssessments
3840 Managing the IS Audit and Assuance process
Execution
3850 Integrating the Audit and Assurance process
3860 Gathering Evidence
3870 Documenting ISAudit andAssurance Work
3875 Documenting and Confirming IS Audit and Assurance
Findings
EvaluatingResultsandDevelopingRecomrrrendations
1l!9
3890 Effective ISAudit andAr"*n." i.eporting
3892 Reporting IS Audit and Assurance Ricommendations
3894 Reporting on ISAdvisory and Consultancy Reyiews
and its
consequence (ISO/IEC 73). Business risk may negatively
impact
the assets, processes or objectives ofa specific buiiness
or
organization. The IS auditor is often focused on high_risk
issues
associated with the confidentiality, availability or integrity
of
sensitive and critical information, and the underlying information
systems and processes that generate, store and manipulato
such
information. In reviewing these types of I?related business
risk, IS auditors will often assess the effectiveness of the risk
management process ,tn organization uses.
In analyzing the business risks arising from the use of I!
it is
important for the IS auditor to have a clear understanding
of:
. The purpose and nature
of business, the environment in which
the business operates and related business risks
. The dependence on technology
to process and deliver business
information
. The business risk of using
IT and how it impacts the
achievement ofthe business goals and objectives
. A good overview ofthe busines,
p.o""rs". and the impact of
IT and related risks on the business process objectives
ISACA's fusk IT framework is based on a set of guiding
principles and feahres business processes and mi.nagement
guidelines that conform to these principles. The framework
described in The Risk IT Framework publication and
is
is dedicated
to helping enterprises manage IT:related risk. The collective
experience ofa global team ofpractitioners and experts
and
and emerging practices and methodologies for effective
:IitlTg
IT risk management have been consulted in theievelopment
the Risk IT fi'amework.
of
There are many definitions of risk, reflecting that risk means
different things to diferent people. perhaps one of the most
succinct definitions of risk used wi&in the information
security business world is provided by the Guidelinesfor
the
Management of IT Security published by the International
Organization for Standardization (SO):

42
CISA Review Manual 2Ol4
ISAGA- All Bights Beserved.
i-
lts*mrrln*
ffi;k'
Chapter l*The Process of Auditing lnformation Sysfems Section Two: Content
\-/

"The potential that a given threat will exploit
vulnerabilities of an asset (G.3) or group of assets and
thereby cause harm to the organization."
(so/rEc PDTR 1333s-t)
This definition is used commonly by the IT industry since it puts
risk into an organizational context by using the concepts ofassets
and loss of value--terms that are easily undentood by business
managers.
ISACA'S Risk IT framework defines IT risk as follows:
IT risk is business risk-specifically, the business risk associated
with the use, ownership, operation, involvement, influence and
adoption of IT within an enterprise. It consists of lT:related events
that could potentially impact the business. It includes both uncertain
frequency and magnitude, and it creatss challenges in meeting
strategic goals and objectives and uncertainty in the pursuit of
opportwrities.
The Risk IT ftamework recognizes that management of business
risk is an essenlial component of the responsible administration
of any enterprise. Almost every business decision requires the
executive or manager to balance risk and reward-
The pervasive use of IT can provide significant benefits to an
enterprise, but it also involves risk. Due to IT's importance to
the overall business, IT risk should be treated like other key
business risks, such as market risk, credit risk and other
operational risks, all of which fall under the highest'Lrmbrella"
risk category: failure to achieve skategic objectives. While these
other risks have long been incorporated into corporate
decision-making processes, too many executives tend to relegate
IT risk to technical specialists outside the boardroom^
Next, during the risk mitigation phase, controls are identified
for mitigating identified risks. These controls are risk-mitigating
countermeasures that should prevent or reduce the likelihood
of a risk event occurring, detect the occurrence of a risk event,
minimize the impact, or trans6i the risk to another organization.
j
The assessment of countermeasures'should be performed through
a cost-benefit analysis where contrgls to mitigate risks are
selected to reduce risls to a level acceptable to management. This
analysis process may be based on any of the following:
. The cost of the control compared to the benefit of mi-nimizing
the risk
. Management's appetite for risk (i.e., the level of residual risk
that management is prepared to accept)
. Preferred risk-reduction methods (e.g., terminate the risk,
minimize probability of occurrence, minimize impact, transfer
the risk via insurance)
The final phase relates to monitoring performance levels of the
risks being managed when identifuing any significant changes
in the environment that would kigger a risk reassessment,
warranting changes to its control environment. It encompasses
three processes-risk assessment, risk mitigation and risk
reevaluation-in determining whether risks are being mitigated
to a level acceptable to management. It should be noted that, to
be effective, risk assessment should b9 an ongoing process in an
organization that endeavors to continually identifu and evaluate
risks as they arise and evolve. See eltribit 1.4 for the summary of
the risk assessment process.

The Risk IT frarnework explains IT risk and enables users to:

. Integrate the management of IT risk into the overall enterprise risk
management ol the organization
. Make well-hformed decisions about the extent of the risk, the risk
appetite and the risk tolerance ofthe enterprise
. Understand how to respond to the risk

In brief, this fiamework aliows the enterprise to make appropriate

risk-adjusted decisions.

The risk assessment process is characterized as an iterative life cycle

which begins with identifying business objectives, information
assets, and the underlying systems or information resources that
generate/store, use or manipulate the assets (trardware, software,
databases, networks, facilities, people, etc.) critical to achieving
these objectives. Since IT risks are dynamic, it is strategic for
management to recognize the need for and establish a dynamic
fI risk management process that supports the business risk
management process. The greatest degree of risl marngement
effcrt may then be directed tourard those considered most sensitive From the lS auditor's perspective, risk analysis serves more than
or critical to the organization. Once sensitive and/or critical one purpose:
. It assists the IS auditor in identifuing risks and threats to an
information assets are identified, a risk assessment is performed to
identifo mlnerabilities and tkeats and determine the probability of IT environment and IS system-risks and threats that would
occurrence, and the resulting impact and additional safeguards that need to be addressed by management-and in identifying
would mitigate this impact to a level acceptable to management. system-specific internal controls. Depending on the level of

CISA Review Manual 2O14 43

ISACA. All Rights Re$erved.
Section Two: Content Chapter l-The Process of Auditing lnformation Systerrs
it represents that a service organization tras been through
an in-depth audit of their conkol activities, which generally
include conhols over information technology and related
processes. SSAE l6-type reviews provide guidance to enable
an independent auditor (service auditor) to issue an opinion on a
service organization's description of controls through a service
auditor's report, which then can be relied on by the IS auditor of
the entity that utilizes the sen)ices ofthe service organization.
. Forensic audits-Forensic auditing has been defined as
auditing specialized in discovering, disclosing and following up
on frauds and crimes. The primary purpose of such a review is
the development of evidence for reviewby law enforcement and
judicial authorities. In recent years, the forensic professional
has been called on to participate in investigations related to
corporate fraud and cybercrime. In cases where computer
resources may have been misused, fi.rrther investigation is
necessary to gather evidence for possible criminal activity that
can then be reported to appropriate authorities. A computer
forensic investigation includes the analysis ofelectronic devices
such as computers, smartphones, disks, switches, routers, hubs
and other electronic equipment. An IS auditor possessing the
necessary skills can assist the informati6n security manager
in performing forensic investigations and conduci the audit of
the systems to ensure compliance with ttie evidence collection
procedures for forensic investigation. Electronic evidence
is vulnerable to changes; therefore, it is necessary to handle
electronic evidence with utrnost care and contols should ensure
that no manipulation can occw. Chain of custody for electronic
evidence should be established to meet legal requirements.
Improperly handled computer evidence is subject to being
ruled inadmissible by judicial authorities. The most important
consideration for a forensic auditor is to make a bit-stream
image of the target drive and examine that image without
altering date stamps or other information attributable to the
examined files. Further, forensic audit tools and techniques such
as data mapping for security and privacy risk assessment, and
the search for intellectual properfy for data protection, are also
being used for prevention, compliance and assurance.
1.6.2 AUDIT PROGRAMS
An audit program is a step-by-step set of audit procedures and
instructions that should be performed to complete an audit- Audit
programs for financial, operational, integrated, administrative and
IS audits are based on the scope and objective ofthe particular
assignment. IS auditors often evaluate IT firnctions and systems
from different perspectives such as security (confidentiality,
integrity and availability), qualjty (effectiveness, efficiency),
fiduciary (compliance, reliabiliiy), service and capacity. The audit
work program is the audit shategy and plan-it identifies scope,
audit objectives and audit procedures to obtain sufficient,.relevant
and reliable evidence to draw and support audit conclusions
and opinions.
General audit procedwes are the basic steps in the performance
of an audit and usually include:
. Obtaining and recording an understanding of the audit
area./subject -
48
. A risk assessment and general audit plan and
schedule
. Detailed audit planning that would include the necessary
audit steps and a breakdown ofthe work planned across an
anticipated timeline
. Preliminary review of the audit area./subject
. Evaluating the audit area./subject
. Verifying and evaluating the appropriateness
ofcontrols
designed to meet contol objectives
. Compliance testing (tests of the implementation of controls,
and their consistent application)
. Substantive testing (confrming the accuracy of information)
. Reporting (communicating results)
. Follow-up in cases where there is an internal audit function
The IS auditor must understand the procedures for testing and
evaluating IS controls. These procedures could include:
. The use ofgeneralized audit software to survey the contents
of
data files (including system logs)
. The use of specialized software to assess the contents
of
operating system database and application parameter files (or
detect deficiencies in system parameter settings)
. Flow-charting techniques for documenting automated
applications and business processes
. The use of audit logs/reports available in operationr./application
systems
. Documentation review
. Lrquiry and observation
. Walkthroughs
. Reperformance of controls
The IS auditor should have a suffjcient understanding ofthese
procedures to allow for the planning ofappropriate audit tests.
1.6.3 AUDIT METHODOTOGY
An audit methodology is a set of documented audit procedures
designed to achieve plarured audit objectives. Its components
are a statement of scope, a statement of audit objectives and a
statement of audit programs.
The audit methodology should be set up and approved by audit
management to achieve consistency in the audit approach. This
methodology should be formalized and commuricated to all audit
staff.
Exhibit 1.7 lists the phases of a typical audit. An early and
critical product ofthe audit process shouid be an audit program
that is the guide for performing and documenting all the
following audit steps, and the extent and types of evidential
matter'reviewed.
Although an audit program does not necessarily follow a
specific set of steps, the IS auditor typically would follow, as
a minimum course of action, sequential program steps to gain
an understanding ofthe entity under audit, evaluate the control
structure and test the controls.
Each audit departrnent should design and approve an audit
methodology as well as the minimum steps to be observed in any
audit assignment.
CISA Review Manual 2Ol4
ISACA- AU Rights Reserved.
 Section Two: Content Chapter |-The process of Auditing
lnformation Systerns
1A B*H:il:$,HF,
\-/;;k-
rish this assists the IS auditor in selecting certain areas
Elements of controls that should be considered
to examine. when evaluating
. It helps the IS auditor in hislher control shength are classified as preventive, detective
evaluation of controls in audit or
corrective in nature.
planning.
. It assists the IS auditor
in determining audit objectives.
. It supports risk-based audit - Exhibit 1.5 displays conftol categories, functions and
decision making. usages.

1.5 INTERNAT CONTROLS

Internal conhols are normally composed of policies, procedures, Conhol objectives are statements of the desired result
practices and organizational structures which or purpose
are implemented to to be achieved by implementing control activities (procedures).
reduce risks to the organization, . _i..

For example, confol objectives may relate to

the
Internal controls are developedto providereasonable following concepts:
assurance
to management that the organization,s business
objectives will . Effectiveness
be achieved and risk events will be prevented, or dltected and . Efficiency
corrected. Internal control activities and supporting processes . Confidentialiry
are either manual or driven by automated
information . Integrity
"o."puto
resources. Intemal controls operate at all leveli within an . Availability
organization to mitigate its exposures to risks that potentially . Compliance
could prevent it from achieving its business objectives.
The . Reliabiliry
board of directors and senior management are iesponsible
for
establishing the appropriate culture to facilitate an effective Control objectives apply to all controls, whether they
and are manual,
efficient internal contror system, and for continuously automated or a combination (e.g., review of system
monitoring logs).
the effectiveness of the internal conhol system, control objectives'in an IS environment do not differ liom
although each those
individual within an organization must take part in this process. in amanual environment; however, the way these conEolsare
implemented may be different. Thus, control objectives
There are two key aspects that conhols should address: need to be
what addressed relevant to specific IS_related pro""rr"r.
should be achieved, and what should be avoided. Not
only do
internal controls address businesVoperational objectives,
but
they should also address undesired evenr through prevention,
detection and correction. i:

. Detect problems before they arise. . Employ only qualified personnel.

r Monitor both operation and inputs. . Segregate duties (detenent factor).
o Attgmpt to predict potential problems
before they occur and . Control access to physical facilities.
make adjustments. . Use w_ell-designed documents (prevent errors).
. Prevent an error,omission 0r malicious act from . Establish suitable procedures for authorization
occuning.
of transactions.
. Complete programmed edit checks.
. Use access control software that allows only authorized personnel
to
access sensitive files.

o Use controls that detect

' use encryption software to prevent unauth'rized
discrosure or data.
and report the occurrence of an . Hash tohls
error, omission or malicious act. . Check poinb in production jobs
o Echo controls in telecommunications
. Enor messages over tape labels
. Duplicate checking of calculations
. Periodic performance reporting with variances
. Past-due account reports
. lntemal audit functions
. Review of activity logs t0 detect unauthorized access
attempb
r Minimize the impact of a threat. . Contingency planning
. Remedy prqblems discovered by detective confols. . Backup procedures
. ldentiff the cause of a problem. . Rerun procedures
. Conect enors arising from a problem.
. Modrfy the processing system(s) to minimize future
occurences of the problem.

44
CISA Review Manual 2Ol4
ISACA. Ail Rights Reserved.
I
thmmff*"r* Chapter l-The Process of Auditing lnformation Systems Section Two: Content
\.,/;;;k*

1.5.1 IS CONTROL OBJECTIVES 1.5.2 COBTT 5

IS conhol objectives provide a complete set ofhigh-level COBIT 5 provides a comprehensive ftamework that assists
requirements to be considered by management for effective enterprises in achieving their objectives for the governance and
control ofeach IT process. IS conhol objectives are: management of enterprise I1l Simply stated, it helps enterprises
. Statements of the desired result or purpose to
be achieved by create optimal value from IT by maintaining a balance between
implementing controls around information systems processes realizing benefits and optimizing risk levels and resource use.
. Comprised ofpolicies, procedures, practices
and organizational COBIT 5 enables IT to be governed and managed in a holistic
structures marlner for the entire enterprise, taking in the full end_to_end
. Designed to provide reasonable assurance that business business and IT functional areas of responsibility, considering the
objectives will be achieved and undesired events will be Ilrelated interests of internal and external stakeholders-
prevented or detected and corrected COBIT 5 is generic and useful for enterprises of ali sizes,
whether commercial, not-for-profit or in the public sector.
Enterprise management needs to make choices relative to these
control objectives by:
. Selecting those that are applicable
. Deciding on those that will be implemented
. Choosing how to implement them (frequency, span,
automation, etc.)
. Accepting the risk of not implementing
those that may apply

Specific IS control objectives may include:

. Safeguarding assets. Lnformation on automated systems is
secure from improper access and cLlrrent.
. Ensuring integrity of general operating system
(OS)
environments, including network management and operations.
. Ensuring integrity ofsensitive and critical
application system
environments, including accounting/financial and management
information (informafion objectives) and customer dat4 through:
-Authorization of the input. Each transaction is authorized and
entered only once.
-Validation of the input. Each input is validated and will not
cause negative impact to the processing of transactions-
- Accuracy and completeness of processing of transactions.
- All transactions are recorded accurately and entered into the
system for the proper period.
- Reliabiliry of overall information processing activities
- Accuracy, completeness and security of the output Source: ISACA, C0Bff 5, USA, ZOll,tigure Z
- Database integrity, availability and confidentiality
. Ensuring appropriate identification and authentication COBIT 5 is based on five key principles (shown in exhitrit 1.6)
ofusers
ofIS resources (end users as well as infiaskuchue support). for governance and management of enterprise IT:
'Ensuring the efficiency and effectiveness ofoperations . Principle 1: Meeting Stakeholder Needs-Enterpnses
exist
(operational objectives). to create value for their stakeholders, by maintaining a balance
. Complying with the users'requirements, organizational between the realization of benefits and the optimization of risk
policies and procedures, and applicable laws and regulations and use ofresources. COBIT 5 provides all ofthe required
(compliance objectives). processes and other enablers to support business value creation
. Ensuring availability of IT services by developing through the use ofIT, Because every enterprise has different
efflcient
business continuity (BCP) and disurster recovery ptuo, (DRp). objectives, an enterprise can customize COBIT 5 to suit its
. Enhancing protection ofdata and systems by '
own context tlrough the goals cascade; kanslating high_level
developing an
incident response plan. enterprise goals into manageable, specific, IT:related goals and
. Ensuring integrity and reliability of systems mapping these to speci,fic processes and practices.
by implementing
effective change management procedures. . Principle 2: Covering the Enterprise
End-to,End-{OBIT 5
integrates govemance of enterprise IT into enterprise governance:
ISACA publishes an IT governance and control framework - It covers all firnctions and processes within the enterprise;
incorporating good IT management practices-COBlT is the COBIT 5 does not focus only on the..IT function,', but treats
leading framework for governance, control and assurance for information and relaied technologies as assets that need to
information and related technology. be dealt withjust like any other asset by everyone in the
enterprise.
- It considers all tl-ielated governance and management
enablers to be enterprisewide and end-to-end i.e., inclusive
of everything and everyone-internal and extemai-that

CISA Review Manual 2O14

ISACA. All Rights Reserued. 45

Section Two: Content. Chapter l-The Process of Auditing
is relevant to governance and managenient ofenterprise
information and relatedIT. :
. Principle 3: Applying a Single, Integrated
Framework-
There are many IT:related standards an$best practices, each
providing guidance on a subset of IT activities- COBIT 5
aligrs with other relevant standards and frameworks at a high
level, and thus can serye as the overarching llamework for
governance and management of enterprise IT.
. Principle 4: Enabling a HolisticApproach-Efficient and
effective governance and management of enterprise IT requires
a holistic approach, taking into account several interactinp;
components. COBIT 5 defines a set of enablers to support
the implementation of a comprehensive govemance ancl
management system for enterprise IT. Enablers are broadly
defined as anything that can help to achieve the objectives
of the enterprise. The COBIT 5 framework defines seven
categories of enablers:
- Principles, Policies and Frameworks
- Processes
* Organizational Skuctures
- Culhrre, Ethics and Behavior
- lnformation
- Services, Infrastruchre and Applications
- People, Skills and Competencies
. Principle 5: Separating Governance from Management-
The COBIT 5 framework makes a clear distinction between
governance and management. These two disciplines encompass
different types of activities, requAe different organizational
structures and serve different purposes. COBIT 5,s view on this
key distinction between governance and management is:
- Governance
Governance ensures that stakeholOer neeOs, conOitiolrs
and options are evaluated to determine balanced,
agreed-on enterprise objectives to be achieved; setting
direction through prioritization and decision making;
and rnonitoring performance and compliance against
agreed-on direction and objectives.
In most enterprises, overall governance is the responsibiliry of
the board ofdirectors under the leadership ofthe chairperson.
Specific governance responsibilities may be delegated to
special organizational structures at an appropriate level,
particularly in larger, cornplex enterprises.
- Management
Management plans, builds, runs and monitors activities
in alignment with the direction set by the governance
body to achieve the enterprise objectives.
ln most enterprises, management is the responsibility of
the executive management under the leadership of the chief
executive officer (CEO).
Togethel these five principles enable the enterprise to build an
effective governance and management framework that optimizes
information and technology investment and use for the benefit of
stakeholders.
46
r
lnformation Systems ffim#mni*,
\-/;;;k-
1.5.3 GENERAL CONTROTS
Controls include policies, procedures and practices (tasks and
activities) established by management to provide reasonable
assurance that specific objectives will be achieved.
General controls apply to all areas of the organization including
IT infiastructnre and support services. General controls include:
. Internal accounting controls that are primarily directed
at
accounting operations-controls that concern the safeguarding
of assets and reliability of financial records
. Operational conkols that concem day-to-day operations,
functions and actiyities, and ensure that the operation is meeting
the business objectives
. Administrative controls that concern operational
efficiency
in a firnctional area and adherence to management policiei
(administrative controls support the operational controls
specifically concerned with operating efficiency and adherence
to organizational policies)
. Organizational security policies and procedures to ensure
proper
usage ofassets
. Overall policies for the desigrr and use of
adequate documents
and records (manuayautomated) to help ensure proper recording
of transactions-transactional audit trail
. Procedures and practices to ensure adequate safeguards
over
access to and use ofassets and facilities
. Physical and logical security policies for all facilities,
data centers and IT resources (e.g., servers and telecom
infrastructure)
1.5.4 tS CONTROTS
Each general control can be translated into an IS-specific control.
A well-designed information system should have controls built in
for all its sensitive or critical functions. For example, the general
procedure to ensure that adequate safeguards over access to assets
and facilities can be translated into an IS-related set ofcontrol
procedures, covering access safeguards over computer prograrns,
data and computer equipment. The IS auditor should understand
the basic control objectives that exist for all functions. IS conkol
procedures include:
. Shategy and direction of the IT function
. General organization and management of the IT function
. Access to IT resources, including data and programs
. Systems development methodologies and change control
. Operations procedures
. Systems programming and technical support functions
. Quality assurance (QA) procedures
. Physical access controls
CISA Review Manual 2OI4
ISACA. All Rights Reserved.
I
Crtifletl lnf,omlim
Sys'tem Adibl. Chapter |-The process of Auditing lnformation Sysferns Section Two: Content
------*--

. p_usinels continuity (BCp/disaster

recovery planniug @Rp)
. Networks and communications
. Database administration
. Protection and detective mechanisms
against internal and
external attacks
The IS auditor should understand concepts regarding IS controls
and how to apply them in planning an audit.
1.6 PERFORMING AN IS AUDIT
To perform an audil several steps are required. Adequate planning
is
a necessary first step in performing effective IS audiL.
Tireffectivety
use IS audit resources, audit organizations must assess the
overall
risks for the general and application areas and related services
being audited, and then develop an audit program that consists
of
objectives and audit procedures to satisfothe audit objectives.
The
audit process requires the IS auditor to gather evidence, waluate
the
strengths and weaknesses ofconkols based on the evidence gathered
flro"g! audit tests, and prepare an audit report *rat presents those
issues (areas of control weaknesses with recommenLtions
for
remediation) in an objective manner to management.
Audit management must ensure the availability of adequate audit
resources and a schedule for performing the audits an4 in the
cas"
of internal IS audit, for follow-up reviews on the status of corrective
ta!"" Uy managemenl The process of auditing includes
i"1.*
def,rning the audit scope, formulating audit objectives, identifying
audit criteria, performing audit procedures, rwiewing and *A"":ting
evidence, forming audit conclusions and opinions, aid reporting
to"
management after discussion with key process owners.
Project management techniques for managing and administering
audit projects, whether automated or manual, include the
following basic steps:
. Plan the audit engagement-plan the
audit considering
project-speci fic risk.
. Build the audit plan-Chart out the necessary
audit tasks
across a time line, optimizing resource use. Make realistic
estimates of the time requirements for each task with proper
consideration given to the availability ofthe auditee.
. Execute the plan-Execute audit tasks
against the plan.
. Monitor project activity-IS auditors
report thelr actua progress
agarrst planned audit steps to ensure challenges are managed-
proactively and the scope is completed within time and
budgef
1.6. 1 CIASS|F|CAT|ON 0F AUDTTS
The IS auditor should understand the various iypes of audits
that can be performed, internally or externally, and the audit
procedures associated with each:
. Compliance Audits-{ompliance audits include specific
tests
ofcontrols to demonstrate adherence to specific regulatory
or industry standards. These audits often overlap traditional
CISA Review Manual ZO14
ISACA. All Rights Rosorved.
audits, but may focus on particular systems or data. Examples
include Payment Card lndustry (pCI) Data Security
Standard
(DSS) audits for companies that process credit
card data and
Health Insurance portability and Accountability Act (HIPAA)
audits for companies that handle health care data.
. Financial audits-The purpose
of a financial audit is to
assess the accuracy offinancial reporting. A financial
audit
will often involvo detailed, substantive testing, although
increasingly, auditors are placing more emphasis on a risk_
and control-based audit approach. This kind ofaudit relates
to
fi nancial information iategrity and reliability.
. Operational audits-An operational
audit is desigaed to
evaluate the intemal control struciirre in a given process
or area.
IS audits of application controls or logical securi-fy systems
are
some examples of operational audits.
. Integrated audits-An integrated
audit combines financial and
operational audit steps. An integrated audit is also performed
to
assess the overall objectives within an organization,
related to
financial information and assets' safeguarding, efficiency and
compliance. An integrated audit can be performed by exiernal
or internal auditors and would include compliance tests of
internal controls and substantive audit steps.
. Administrative audits-These
are oriented to assess issues
related to the efficiency of operational productivity within an
organization.
. IS audits-This process collects
and evaluates evidence
to determine whether the information systems and related
resources adequately safeguard assets, maintain data and
system integrity and availabiliry provide relevant and reliable
information,,achieve organizational goals effectively, consurne
resources efficiently, an! have, in effec! internal controls
that
provide reasonable assurance that.business, operational and
control objectives will be met an{that undesired events will be
' prevented,
or detected and correcte( in a timely marurer"
. Specialized audits-Within the
caregory of Ii audits, there
are a number of specialized reviews that examine areas
such
as services performed by third parties. Because businesses
are
becoming increasingly reliant on third-party service providers,
it is important that internal controlsbe evaluated in these
environments. The Statement on Standards for Attestation
Er.rgagements (SSAE) I6, titled.. Reporting on Controls
at a
Service Organization,,'is a widely known auditing standard
developed by the American Institute of Certified public
Accountants (AICPA). This standard replaced the previous
standard, Statement on Auditing Standards 70 (SAS 70),
titled "Reports on the processing ofTransactions by Service
Organizations." This standard defines the professional standards
used by a service auditsr to assess the intemal controls
of a
service organization. This type of audit has become increasingly
relevant due to the curr,ent trend of outsourcing of financial
and business processes to third-p4rly service providers
which,
in some cases, may operate in different jurisdictions or even
different countries. It should be noted that a Type 2 SSAE
l6 review is a more thorough variation of a regular SSAE l6
review, which is often required in connection;ift regulatory
reviews. Many other countries have their own equivalent of
this standard. An SSAE 16-type audit is important because
47
1f
l
(Affiim* Chapter |-The Process of Auditing lnformation Systerns
\-/
All audit plans, programs, activities, tests, frndings and incidents
shall be properly documented in workpapers.
The format and media of work papers can vary depending on
specific needs ofthe departrnent. IS auditors should particularly
consider how to maintain the integrify and protection of audit
test evidence in order to preserve their value as substantiation in
support of audit results.
. ldentify the area to be audited.
. ldentify the purpose of the audit For
example, an objective might be to
determine whether program source code
changes occur in a well-defined and
controlled environment_
. ldentifu the specific systems, function or
unit of the organization to be included in the
review. For example, in the previous program
changes example, fie scope statement
might limit the review to a single application
system 0r t0 a limited period of time.
Preaudit planning . ldentify technical skills and resources
needed.
. ldentify the sources of information for test
or review such as functional Ilow charts,
policies, standards, procedures and prior
audit work papers.
. ldentily locations or facilities to be audited.
Audit orocedures . ldentify and select the audit approach to
3n6 stepS for data verify and test the controls.
gafiering
. ldentify a list of individuals to interview.
. ldentify and obhin departmental policies,
standards and guidelines for review.
. Develop audit tools and methodology t0 test
and verify control.
0rganization-specific
0rganization-specific
Audit report . ldentify follow-up review pmcedures.
preparation r ldentify procedures to evaluateltest
operational efficiency and effectiveness.
. ldentily procedures to testcontrols.
. Review and evaluate fie soundness of
documents, policies and procedures.
Work papers can be considered the bridge or interface between
the audit objectives and the final report. Work papers should
provide a seamless hansition-rvith traceability and support for
the work performeG-from objectives to report and from report
to objectives. In this contex! the audit report can be viewed as a
particular work paper.
CISA Review Manual 2O14
aSACA. Atl Rights Beserved.
Section Two: Content
1.6.4 FRAUD DETECTION
The use of information technology for business has immensely
benefited enterprises in terms of significantly increased quality
of delivery of information. Horvever, the widespread use of
information technology and the Internet leads to risks that enable
the perpetration oferrors and frauds,
Management is primarily responsible for estabtishing, implementing
and maintaining a framework and design of IT controls to meet the
contol objectives. A welldesigned internal control system provides
good opportmities for deterrence and/or timely detection of fraud.
lntemal controls may fail where such conhols are circumvented
by exploiting wlnerabilities or through management perpetrated
weakness in controls or collusion among people-
Legislation and regulations relating to corporate governance cast
significant responsitrilities on management, auditors and the
audit committee regarding detection and disclosure of any ffauds,
whether material or not.
IS auditors should observe and exercise due professional care
(ISACA IS Auditing Standard 53) in all aspects of their work.
IS auditors entrusted with assurance functions should ensure
reasonable care while performing their work and be alert to the
possible opportunities that allow fraud to materialize.
The presence of internal controls does not altogether eliminate
fraud. IS auditors should be aware of the possibility and means
of perpetrating fraud, especially by exploiting the vulnerabilities
and overriding controls in the IT:enabled environment. IS auditors
should have knowledge offraud and fiaud indicators, and be alert
to the possibility of fraud and errors while performing an audit.
Dwing the course of regular assurance work, the IS auditor may
come across instances or indicators of fraud- The IS auditor may,
after careful evaluation, cornrnunicate the need for a detailed
investigation to appropriate authorities. [n the case of the
auditor identifuing a major fiaud, or if the risk associated with
the detection is high, audit management should also consider
communicating in a timely manner to the audit commiftee.
Regarding fiaud prevention, the IS auditor should be aware of
potential legal requirements conceming the implementation
ofspecific fraud detection procedures and reporting fraud to
appropriate authorities.
1.6.5 RISK.BASED AUDITING
Effective risk-based auditing is driven by two processes:
1. The risk assessment that drives the audit schedule (addressed in
section I .6.7 Risk Assessment and Treatment)
2. The risk assessment that minimizes the audit risk during the
execution of an audit (addressed in section 1.6.6 Audit Risk
and Materiality)
A risk-based audit approach is usually adapted to develop and
improve the continuous audit process. This approach is used to
assess risk and to assist an IS auditor in making the decision to
perform either compliance testing or substantive testing. It is
important to stress that the risk-based audit approach efficiently
assists tbe auditor in determining the nahre and extent of testing.
49
 Section Two: Content Chapter l-The Process of Auditing,loformation Systems
Within this concept, inherent dslr, control risk or detecriorr risk
should not be of major concerd,.despite some weaknesses. In a
audit approach, IS auditors ard notjust relying on risk;
1sk-based
they also are relying on internal and operfiional contols as well
as knowledge of the company or the business. This type of risk
assessment decision can help relate the cost-benefit analysis of
the conhol to the known risk, allowing pr'ictical choicei. ' '
Business risks include concenx about the probable effects ofan
uncertain event on achieving established business objectives. The
nature ofthese risks may be f,rnancial, regSilatory or operational,
and may also include risks derived from specific technology.
For example, an airline company is subject to extensive safety
regulations and economic changes, both of which impact the
continuing operations of the company. In this context, the
availability of IT service and its reliability are critical.
By understanding the nahre of the business, IS auditors can identiff
and categorize the types of risks that will bbtter determine the
risk model or approach in conducting the audit. The risk model
assessment can be as simple as creating wdights for the types of risks
associated with the business and ideniifoin!-the risks in an equation.
On the other hand, risk assessment can Le d-scheme where risks have
been given elaborate weights based on the nature ofthe business or
the significance of the risk. A simplistic overyiew oia risk-based
audit approach can be seen in erhibit 1.8. '
. Knowledge of business and industry
. Prior year's audit results
o Recent financial information
0btain Understanding of lnternat Gontrol
. Control environment
. Control procedures
. Detection risk assessment
Perform Gompliance Tests
. ldenti! key controls to be tested.
Perform Substantive Tests
. Analytical procedures
o Detailed tests of account balances
Conclude the Audit
. .
Create recommendations.
_ Write audit report.
5(}
(Riffirs#*
\./;;**
1.6.6 AUDIT RISK AND MATERIALITY
Audit risk can be defined as the risk that information may contain
a material error that may go undetected during the course of the
audit. The IS auditor should also take into account, ifapplicable,
other factors relevant to the organization: customer data, privacy,
availability ofprovided services as well as corporate and public-
image as in the case ofpublic organizations or foundations.
Audit risk is influenced by:
.Inherent risk-As it relates to audit risk, it is the
risk level
or exposure of the procesVentity to be audited without taking
into account the confrols that management has implemented.
Inherent risks exist independent ofan audit and can occur
because ofthe nature ofthe business.
. Control risk-The risk that a material
error exists that would
not be prevented or detected on a timely basis by the system of
internal conkols. For example, the control risk associated with
manual reviews of computer logs can be high because activities
requiring investigation are often easily missed due to the
volume of logged information. The control risk associated with
computerized data validation procedures is ordinarily low if the
processes are consistently applied.
. Detection risk-The risk that material errors or
misstatements
that have occurred will not be detected by the IS auditor.
. Overall audit risk--The probability that information
or
financial reports may contain material errors and that the
auditor may not detect an error that has occurred. An objective
in formulating the audit approach is to limit the audit risk in the
area under scrutiny so the overall audit risk is at a sufficiently
low level at the completion of the examination.
. Regulatory statutes
. lnherent risk assessments
. Contiol risk assessment
. Equate total risk
. perform tests on reliability, risk
prevention and adherence to
organization policies and procedures.
. 0ther substantive audit procedures
CISA Review Manuat 2Ol4
ISACA- All Rights Resowed.
(CsffHrg{::.,- Chapter l-The Process of Auditing lnformation Systerns
\-/;;;;;-
Specifically, this means that an internal control weakness or set
ofcombined internal control weaknesses leaves the organization
higtrly susceptible to the occurrence ofa threat (e.g., financial
loss, business intemrption, loss of customer trust, economic
sanction, etc.). The IS auditor should be concerned with assessing
the materiality of the items in question through a risk-based audit
approach to evaluating internal controls.
The IS auditor should have a good understanding ofthese audit
risks when planning an audit An audit sample may not detect every
potential error in a population. However, by using proper statistical
sampling procedures or a strong quality control process, the
probability ofdetecfion risk can be reduced to an acceptable level.
Similarly, when evaluating internal controls, the IS auditor should
realize that a given system may not detect a minor error. However,
that specific erroq combined with others, could become material
to the overall system.
The concept of materiality requires soundjudgment fiom the
IS auditor. The IS auditor may detect a small error that could
be considered significant at an operational level, but may not
be viewed as significant to upper management. Materiality
considerations combined with an understanding of audit risk are
essential concepts for planning the areas to be audited and the
specific test to be performed in a given audit.
1.6.7 RISK ASSESSMENT AND TREATMENT
Assessingi Security Rr'sks
To develop a more complete understanding of audit risk, the
IS auditor should also understand how the organization being
audited approaches risk assessment and treatment.
Risk assessments should identifu, quanti$r and prioritize risks
against criteria for risk acceptance and objectives relevant
to the organization. The results should guide and determine
the appropriate management action, priorities for managing
information security risks, and priorities for implementing
controls selected to protect against these risks.
fusk assessments should also be performed periodically to
address changes in the environmen! security requirements and
in the risk situation (e.g., i, the assets, threats, vulnerabilities,
impacts), and when sigrrificant changes occur. These risk
assessments should be undertaken in a methodical marmer
capable of producing comparable and reproducible results.
The scope of a risk assessment can be either the whole
organization, parts of the organization, an individual information
system, specific system components, or servicbs where this is
practicable, realistic and helpful.
Treating Risks
Before considering the treatrnent ofa rislg the organization
Should decide the criteria for determining whether risks can be
CISA Review Manual 2014
ISACA. All Rights Reserued-
Section Two: Content
.,
accepted. Risks may be accepted if, for example, it is assessed
that the risk is low or that the cost of treatment is not
cost-effective for the orgatization. Such decisions should be
recorded-
Each of the risks identified in the risk assessment needs to be
treated. Possible risk response options include:
. Risk mitigation-Applying appropriate controls to reduce
the risks
. Risk acceptance-Knowingly and objectively not taking
action, providing the risk clearly satisfies the organization's
policy and criteria for risk acceptance
. Risk avoidance-Avoiding risks by not allowing actions that
would cause the risks to occur
. Risk transfer/sharing-*Transferring the associated risks to
other parties, e.g. insurers or suppliers
For those risks where the risk treatment decision has been to
apply appropriate controls, controls Should be selected to ensure
that risks are reduced to an acceptabte level, taking into account:
. Requirements and constraints of national and international
legislation and regulations
. Organizational objectives
. Operational requirements and constraints
. Cost effectiveness (the need to balance the investment in
implementation and operation of controls against the harm
likely to result from security failures)
Controls can be selected from professional or industry standards
or new controls can be designed to meet the specific needs ofthe
organization. It is necessary to recognize that some controls may
not be applicable to every information system or environmen!
and might not be practical for all organizations.
Inforrnation security controls should be considered at the systems
and projects requirements.specification and design stage. Failure
to do so can result in additional costs and less effective solutions,
an( in a worst case scen4rio, the inability to achieve adequate
securify.
I
No set of controls can achieve complete security. Additional
management action should be implemented to monitor, evaluate,
and improve the efficiency and effectiveness of security controls
to support the organization\ aims.
1.6.8 Rr$K ASSESSMENT TECHNIQUES
When determining which functional areas should be audited,
the IS auditor could face a large variety ofaudit subjects. Each
ofthese subjects may represent different types ofrisk. The IS
auditor should evaluate these various risk candidates to determine
the high-risk areas that should be audited.
There are many risk assessment methodologies, computerized
and noncomputerized, from which the IS auditor may choose.
These range from simple classifications ofhigh, medium and
low, based on the IS auditorb judgmen! to complex scientific
calculations that provide a numeric risk rating.
51
 Section Two: Content Chapter l-The Process
One such risk assessment apploach is a scoring system
that
is useful in prioritizing audits based on an evai-uaion
of risk
factors. The system considers variables such as technical
complexity, level ofconhol procedures in place and level
of
financial loss. These variables may ormaynot be weighted.
The risk values are then compared to each other and audits
are scheduled accordingly. Another form of risk assessment
is
judgmental, where an independent decision
is made based on
business knowledge, executive management directives, historical
perspectives, business goals and envkonmental factors.
A Alternatively, an IS auditor may assist in assessing the integrity
combination of techniques may be used as well. Risk assessment
methods may change and develop over time to best serve
the
needs ofthe organization. The IS auditor.should consider
the
level of complexify and detail appropriate for the organization
being audited.
Using risk assessment to determine areas to be audited:
. Enables management to effectively
allocate limited
audit resources.
. Ensures that relevant information
has been obtained fiom all
levels of management, including boards of directors,
IS auditors and functional area management. Generally, this
information assists management in effectively discharging its
responsibilities and ensurqs that the audit activities are directed
to high-risk areas, which will add value ior management.
. Establishes a basis for effectively
managing the audit deparftnent.
. Provides a summary of how the
individual audit subjectis related
to the overall organization as well as to the business plans.
1.6.9 AUDIT OBJECTIVES
Audit objectives refer to the specific goals that must be
accomplished by the audit. [n contrast, a control objective
refers
to how an internal control should function. An audit
may, and
generally does, incorporate several audit objectives.
Audit objectives often focus on substantiating that internal confrols
exist to minimize business risks, and &at they fimction as expected.
These audit objectives include assuring compliance with legal
anO
regulatory requirements as well as the confidentiality, rntegdty,
reliability and availability of information and IT resources. Audit
management may give the IS auditor a general control objective
to
review and evaluate when nerflrming an audit.
A key element in planning an IS audit is to translate basic and
wide-ranging audit objectives into specific IS audit objectives.
For example, in a financiaUoperational audit, a conftoiobjective
could be to ensure that hansactions are properly posted to
the
general ledger accounts. However, in the IS urrAiq
A. objective
could be extended to ensure that editing features are in place
to
detect errors in the coding of tansactions that may impact
the
account-posting activities.
The IS auditor must have an understanding ofhow general
audit
objectives can be translated into specific Ib contol'objectives.
Determining an audit's objectives is a critical step in pianning
an
IS audit.
One ofthe basic purposes ofany IS audit is to identify control
objectives and the related controls that address the objective.
of Auditing lnformation Systerns /Ammnill*,
\-/;;;-
For examplq the IS auditor,s initial review of an information
system should identify key controls. The IS auditor should
then decide whether to test these contols for compliance.
The
IS auditor should identify bottr key general and application
conhols after developing an understanding, and documenting
the
business processes and the applicationVfunctions that
suppo;
these processes and general support systems. Based
on that
understanding, the IS auditor should identify the key contol points.
of financial reporting data-referred to as substantrive testin[_
through computer-assisted audit techniques.
1. 6. 10 COMPLIANCE VS. SUBSTANNVE IESNNG
Compliance testing is evidence gathering for the purpose
of
testing an organization,s compliance with connoiprocedures.
This differs liom substantive testing in which evidence
is
gathered to evaluate the integrity ofindividual transactions,
data
or other information.
A compliance test determines if controls are being applied in a
manner that compli6s with management policies ind procedures.
For example, if the IS auditor is about whether
production program library controls "on"r-"d
are working properly, the
IS auditor might select a sample ofprograms to-deter:nine
if the
source and object versions are the same. The broad objectivi:
of any
compliance test is to provide IS auflitors with reasonable
assurance
that the particular control on which the IS auditor plars
to rely is
operating as the IS auditorperceived in the prelininary
evaluation.
It is important that the IS auditor understands the specific
objectiv_e of a compliance test and of the control being
tested. Compliance tests can be used to test the existence
and
effectiveness of a defined process, which may include
a t-ail
of documentary and/or automated evidence_for example, to
provide assurance that only authorized modifications
are made to
production programs.
A substantive test substantiates the integrify ofactual processing.
It provides evidence ofthe validity and integrity ofthe UalanceJ
in the financial statements, and the transactions that support
these balances. IS auditors coulduse substantive tests to
test for
mgnetary errors directly affecting financial statement balances,
or
other relevant data of the organization. Additionally, an IS
auditor
might develop a substantive test to determine if the tape library
inventory records are stated correctly. To perform. this test,
Oe lS
auditor might take a thorough inventory or might use a statistical
sample, which will allow the IS auditor to develop a conclusion
regarding the accuracy of the entire inventory.
There is a direct correlation between the level ofinternal
contrors
and the amount of substantive testing required. If the results
of testing (compliance tests) reveal the presence of
.controls
adequate internal conhols, then the IS auditor is jrrqtified
in
minimizing the substantive.procedures. conversely, if the control
testing reveals weaknesses in conhols that may raise doubts
about the completeness, accuracy or validity ofth"
a""o,rots,
substantive testing can alleviate those doubis.
CISA Review Manual 2Ol4
ISACA. All Rights Reserved-
 Chapter |-The Process of Auditing lnformation Systems
fxample of compliance testing of controls wtrere sampling coutd
be considered include user access rights, program change
contol
procedures, documentation procedwes, program documentatiorl
follow-up of exceptions, review of logs,,oft**e license audits, etc-
Examples of substantive tests where sampling could be
considered include performance of a complex calculation
(e.g., interest) on a sample of accounts or a sample of transactions
to vouch for supporting documentation, etc.
The IS auditor could also decide during the preliminary
assessment of the controls to include some substantive testing
if the results of thispreliminary evaluation indicate that
implemented controls are not reliable or do not exist-
Exhibit
1.9 shows the relationship between compliance and
substantive tests, and describes the two categoriei of
substantive tests.
1.6.11 EVTDENCE
Evidence is any information used by the IS auditor to determine
whether the entity or data being audited follows the established
criteria or objectives, and supports audit conclusions. It is a
requirement that the auditor's conclusions be based on sufficient,
relevant and competent evidence. When planning the IS audit, the
IS auditor should take into account the type of auait evidence to
be gathered, its use as audit evidence to meet audit objectives
and
its varying levels of reliability.
Audit evidence may include ttre IS auditor's obsenations
(presented to management), notes taken from interviews,
results of
independent confirmations obtained by the IS auditor from different
stakeholders, material extracted fiom correspondence and intemal
documentation or contracts with extemal partners, or the results of
audit test procedures. While all evidence will assist the IS auditor
in developing audit conclusions, some evidence is more reiiable
than others. The rules of evidence and sufficiency as well as the
competency ofevidence mustbe taken into account as required by
audit standards.
Review the system t0 identify controls.
Test compliance to determine whether controls are funclioning.
Evaluate the controls to determine the basis for reliance
and the nafure, scope and timing of substantive tests.
Use two types of substantive tests to evaruate the varidity of ttre data.
CISA Review Manual 2Ol4
ISACA. Alt Rights Reserved.
$ection Two: Content
,191e:,-gpw1.de9,
inthe
9i14e..'id!m
exambgcause of the varipus larrs ahd regulations
-CI${
goygryi4gthecollection, protection and chain of c#tody of
evidenge, Thig topic, though relevant for the IS auditor, L not
Determinants for evaluating the reriability of audit evidence inclu<ie:
. Independence ofthe provider
ofthe evidence__Evidence
obtained from outside sources is more reliable than from within
the organization. This is why confirmation letters are used for
verification of accormts receivable balances. Additionally, signed
contacts or agreements with external parties could be considered
reliable ifthe original documents are made arrailable for review.
. Qualifications of the individual providing
the
information/evidence-Whether the providers of the
information/evidence are inside or outside of the organization,
the IS auditor should always consider the qualifications
and functional responsibilities of the persons providing the
information. This can also be true of the IS auditor. If an IS
auditor does not have a good understanding ofthe technical area
under review, the inrbrmation gathered fiom testing that area
may not be reliable, especially if the IS auditor does not fully
understand the test.
. Objectivity of the evidence-Objective
evidence is more
reliable than evidence that requires considerable judgment
or interpretation. An IS auditor's review of media inventory
is direct objective evidence. An IS auditor,s analysis of the
efficiency of an application, based on discussions with certain
personnel, may not be objective audit evidence.
. Timing of the evidence-The
IS auditor should consider
the time during which information exists or is available in
determining the nature, timing and extent of compliance testing
and, ifapplicable, substantive testing. For exampfe, audit
evidence processed by dynamic systems, such as spreadsheets,
may not be retrievable after a specified period of time if changes
to the files are not controlled or the files are not backed up.
The IS auditor gathers a variety of evidence during the audit.
Some evidence may be relevant to the objectives of the audit,
while other evidence may be considered peripheral. The IS
auditor should focus on the overall objectivei ofthe review and
not the nature of the evidence gathered.
53
 Section Two: Content Chapter l-The Process of Auditing lnformation
The quality and quantity ofevidence must be assessed by the
IS auditor. These two characteristics are referred to by the
Intemafional Federation ofAccountants (IEAC) as competent
(qualrty) and sufficient (quaotity). Evidence is competent when
it is both valid and relevant. Audit judgment is used to determine
when sufficienry is achieved'in the same marmer that is used to
determine the competency of evidence.
An understanding of the rules of evidence is important for IS
auditors since they may encounter a variety ofevidence types.
Gathering ofeyidence is a key step in the audit process. The IS
auditor should be aware of the various forms of audit evidence
and how evidence can be gathered and reviewed. The IS auditor
should understand ISACA IT Assurance Standards 56 and S14,
and should obtain evidence of a nature and sufficiency to support
audit findings.
The fo\\ovrrng are techruques for gathenng evidence:
. Reviewing IS organizati6n 5flusfurgs-An organizational
structure that provides an adequate separation or segregation
ofduties is a key general control in an IS environment. The IS
auditor should understand general organizational controls and be
able to evaluate these controls in the organization under audit.
Where there is a strong emphasis on cooperative distributed
processing or on end-user computing, IS functions may be
organized somewhat differently than the classic IS organization
which consists of separate systems and operations fi.inctions.
The IS auditor should be able to review these organizational
structures and assess'ihe level of conkol
they provide.
. Reviewing IS policies and procedures,--An IS auditor should
review whether appropriate policies and procedures are in place,
determine whettrer personnel understand the implemented policies
and procedures, and ensure that policies and procedures are being
followed. The IS auditor should verify that management assurnes
full responsibility for formulating, developing, documenting,
promulgating and controlling policies co',ering general aims
and directives. Periodic reviews ofpolicies and procedures for
appropriateness should be carried out.
. Reviewing IS standards-The IS auditor should first
understand the existing standards in place within the
organization.
. Reviewing IS documentation-A first step in reviewing
the documentation for an information system is to understand
the existing documentation in place within the organization.
This documentation could be held in hard copy form or
stored elechonically (e.g., document images stored on the
internal corporate network). Ifthe latter is the case, controls to
preserve the document integrity should be evaluated by the IS
auditor. The IS auditor should look for a minimum level of IS
documentation. Documentation may include:
- Systems development initiating documents
(e.g., feasibility study)
- Documentation provided by external application suppliers
- Service level agreements (SLAs) with extemal IT providers
54
Systems /As*mr,H#.,",
\-,/;;**
Functional requirements and design specifications
-
-Tests plans and reports
- Program and operations documents
* Program change logs and histories
"
User manuals
-
- Operations manuals
- Security-related documents (e.g., security plans, risk assessments)
- BCPs
- QA reports
- Reports on security metrics
. Interviewing appropriate personnel-Interviewing
techniques are an important skill for the IS auditor. Interviews
should be organized in advance with objectives clearly
communicated, follow a lixed oufftne and be documented by
interview notes. An interview form or checklist prepared by
an IS auditor is a good approach. The IS auditor should always
remember that the purpose of such an interview is to gather
audit evidence. Procedures to gather audit evidence include:
inquiry observation, inspection, confirmation, performance
and monitoring. Persorurel interviews are discovery in nature
and should never be accusatory; the interviewer should help
people feel comfortable, encouraging them to share information,
rdeas, concerns andknorv\edge.The IS audilor shou\dventy the
accuracy of the notes with the interviewee whether or not these
notes would be necessary to support conclusions.
. Observing processes and employee performance-The
observation ofprocesses is a key audit technique for many types
of review. The IS auditor should be unobtrusive while making
observations and should document everything in suffrcient detail
to be able to present it, ifrequired, as audit eyidence at a later
date. In some situations, the release of the audit report may not
be timely enough to use this observation as evidence. This may
necessitate the issuance of an interim report to managernent of
the area being audited. The IS auditor may also wish to consider
whether documentary evidence would be useful as evidence
(e.g., photograph of a server room with doors fully opened).
. Reperformance-The reperformance process is a key audit
technique that generally provides better evidence than the other
techniques and is therefore used when a combination of inquiry
observation and examination ofevidence does not provide
sufficient assurance that a conhol is operating effectively.
. Walkthroughs-The walkthrough is an audit technique to
confirm the understanding of controls.
All ofthese techniques for gathering evidence are part ofan
audit, but an audit is not considered only review work. An audit
includes examination, which incorporates by necessity the testing
ofcontrols and audit evidence, and therefore includes the results
ofaudit tests.
lS auditors should recognize that with systems development
techniques such as computer-aided software engineering (CASE)
or prototyping, traditional systems documentation will not be
required or will be in an automated form rather than on paper.
However, the IS auditor should look for documentation standards
and practices within the IS organization.
The IS auditor should be able to review documentation for a
given system and determine whether it follows the organization,s
documentation standards. In addition, the IS auditor should
CISA Review Manual 2Ol4
ISACA- All Bights Reserved.
 @ffi* Chapter l-The process of Auditing
lnformation Systems Section Two: Content

understand the current approaches to developing

systems such The tw9 g:ngral approaclres to audit sampling
as object orientation, CASE tools or protorypini, and how the are statistical and
documentation is constructed. The IS- auditor nonstatistical:
sh"ould recognize L Statistical sampling-- An objective method
other components of IS documentation of determining the
such as database
sample size and selection cfitiria. Statistical
specifications, file layouts or self_documented program
listings. sampling rr"jh"
mathematical laws of probability i,l: a)
calculate the-sampling
size, b) select the sarrrpie items, and
L.6,L2 INTERVIEWING AND OBSERVING PERSONNEL results and make the intbrence. Srith
c) evaluate the sanrple
statistical sampling, the
IN PERFORMANCE OFTHEIR DUTIES IS auditor quantitatively decides how
closely the sample should
observing personnel in the performance of their represent the poptrlation (assessing sample
duties assists an irecision) and the
IS auditor in identifying: number of times in I00 that the ,ampte
strouta represent the
. Acfual funcfions--Observation population (the reliability or confidence
could be an adequate test to level).
This assessment
ensure that the individual who is assigned will be represented as a percentage. The
resulis ofa valid
and authorized to
perform a parricular fi:nction is the person statistical sample are mathematicilly quantifi
who is actually doing able.
the job. It allows the lS auditor an 2. Nonstatistical sampling (often referred
opportuniry to wihess how to as judgmental
policies and procedures are understood and jracticed. sampling|-Uses auditorjudgment to determine
Depending the method
on the specific sih:ation, the results of this of sampling, the number of items that will
type oftest should be be examined from
compared with the respective logical access a population (sample size) and
rights. which items to select (sample
. Actual processes/procedures_performinj selection). These decisions are based
a walk_through on subjectivejudgment as to
of the process/procedure allows the IS auditlr which itemVhansactions are the most
materi* ana moit risty.
to gain evidence
of compliance and observe deviations, if any.
Thii type of
observation could prove to be useful for phjsical When using either statistical or nonstatistical
controls, sampling methods,
. Security awareness-Secunty the IS auditor should design and select
u**"r"r, ,hould be observed an audit sample, perform
to verifo an individual,s understanding and audit procedures, and evaruate sample
practice ofgood results to obtain sufficient,
preventive and detective securit-v reliable, relevant and usefi.il audit evidence.
-"uirr", io sufegu*J th" These methods of
company's assets and data. This sampling r.equire the IS auditor to use_ir,rdgment
rype of information could be when defining
complemented with an examination of previous the population characteristics, and
and planned ttrus arl rufl"ltio thr ri.sk that
securig training. the IS auditor wilt draw the wrong conclusio,
iom the sample
. Reporting relationships_Reporting (sampkng risk). However, statistical sampling
permits the IS auditor
relationships should be
observed to ensure that assigned respinsibilities the probability of error (confitenie coefficient). To
and adequate :" -qr*:q
De a stahshcalsample, each item in the population should
segregation of duties are being practiced. Often, have an
the results of equal opporhrnity orprobability of being
this type of test should be compared with the selected. within these
respective logical
access rights. two general approaches to audit sampling, there
are two primary
. Observation drawbacks-The melodl of sampling used by IS auditor;__artribute sampling
observer may interfere with the
observed environment. personnel, upon noti"ilg and variable sampling. Attribute sampling, generally
that they are applied in
being observed, may change their usual behavio'r. compliance testing situations, deals *imltrJpresence
or absence
ofthe attribute and provides conclusions ttraiare expressed
in rates
Interviewing information processing personnel and of incidence. Variable sampling, generally applied
management i_i substantive
should provide adequate assurance that the staffhas testing situations, deals with population characteristics
the required that vary,
technical skills to perfbrm the.lob. This is an important such as monetary values and rveights (or
any othermeasurement),
factor that and provides conclusions related to deviations
contributes to an effective and efficient operatioi. liom the norm.
Attribute sampling refers io three different but
1.6.13 SAMPLING related types of
proportional sampling:
Sampling is used when time and cost considerations
preclude a total l. Attribute sampting (also referred to as fixed sample_size
verification ofall transactions or events in a predefined
population. attribute sampling or frequency_estimating sampling|_A
The population consists of the entire grorp
oiit".r-* that need to sampling model that is used to esdmate the rati
be examined. The subset of populatioir m"mUers
us"O to perform lpercentlof
occurrence ofa specific quality (httribute;
testing is called a sample. Sampling is used in a population.
to infer characteristics Attribute sampling answers the question or ..t
about a population, based on the characteristics o_ many?,,
ofa sample. An example of an atkibute that might be tested
is approval
signatures on computer access request
forms.
2- Stop-or-go sampling-A sampling model that
helps prevent
excessive sampling of an attribute b! allowing
an audit test
to be stopped at the earliest possible momentfstop_or_go
sampling is used when the IS auditor believes
that relatively
few errors will be foud in a population.
3. Discovery sampling--A sampling model that can be
used
when the expected occurrence ratels extremely
low. Discovery
sampling is most often used when the objectivl
ortn" audit
to.se* out (discover) fraud, circumventiin of regulations is
or
other irregularities.
CISA Beview Manual 2Ol4
ISACA- All Rights Reserved. 55
Section Two: Content Chapter l-The Process of Auditing lnformation Systems
Variable sampling-also known as dollar estimation or mean
estimation sampling-is a technique used to estimate the
monetary value or some other unit of measure (such as weight)
of a population from a sample portion. An example of variable
sampling is a review of an organization's balance sheet for
material transactions and an application review ofthe program
that produced the balance sheet.
Yanab\e samp\tngreters\o anumber ol differenttypes ol
quantitative sampling models:
1. Stratified mean per unit-A statistical model in which the
population is divided into groups and samples are drawn from
the various groups. Stratified mean sampling is used to produce a
smaller overall sample size relative to unstratified mean per unit.
2. Unstratified mean per unit-A statistical model in which a
sample mean is calculated and projected as an estimated total.
3. Difference estimation-Alstatistical model used to estimate
the total difference between audited values and book
(unaudited) values based on differences obtained fiom sample
observations.
To perform attibute or variable sampling, the following statistical
sampling terms need to be understood:
. Confidence coefficient (also referred to as confidence
level or reliability factorFA percentage expression (90
percent, 95 percent, 99 percent, etc.) ofthe probability that the
characteristics ofthe sample are a true representation ofthe
population. Generally, a 95 percent confidence coefficient is
considered a high degree ofcomfort. Ifthe IS auditor knows
internal controls are strong, the confidence coefficient may be
lowered. The greater the confidence coefficient, the larger the
sample size.
. Level of risk-Equal to one minus the confidence coefficient.
For example, ifthe confidence coefricient is 95 percent, the
level ofrisk is five percent (100 percent minus 95 percent).
. Precision-Set by the IS auditor, it represenrs rhe
acceptable
range difference between thC sample and the actual population.
For attribute sampling, this figure is stated as a percentage. For
variable sampling, this figure is stated as a monetary amount
or a number. The higher the precision amount, the smaller the
sample size and the greater the risk offairly large total error
amounts going undetected. The smaller the precision amount,
the greater the sample size. A very low precision level may lead
to an urmecessarily large sample size.
. Expected error
rate-An estimate stated as a percent of
the errors that may exist. The greater the expected error rate,
the greater the sample size. This figure is applied to atkibute
sampling formulas but not to variable sampling formulas.
' Sample mean-The sum of all sample values, divided by the
size of the sample. The sample mean measures the average
value of the sample.
. Sample standard deviation-Computes the variance
of the
sample values from the mean ofthe sample. Sampld standard
deviation measures the spread or dispersion of the sample
values.
. Tolerable error rate-Describes the maximum
misstatement
or number of errors that cari exist without an account being
materially misstated. Toleratle rate is used for the planned
56
As#J*mffi,.-
\-/ffi
upper limit of the precision range for compliance testing. The
term is expresSed as a percentage. Precision range and precision
have the same meaning when used jp substantive testing.
. Population standard deviation-A mathematical
concept that
measrues the relationship to the normal distribution. The greater
the standard deviation, the larger the sample size. This figure
is applied to variable sampling formulas but not to attribute
sampling formulas.
Key steps in the construction and selection of
a sample for an
audit test include:
. Determining the objectives of the test
. Defining the population to be sampled
. Determining the sampling method, such
as attribute vs.
variable sampling
. Calculating the sample size
. Selecting the sample
. Evaluating the sample fiom an audit perspective
It is important to know &at tools exist to analyze all of the
data, notjust those available through computer-assisted
audit techniques.
Note: The,IS auditox
of samplin g techniquss' and*i
them,,,,,i 1r,:'i.:.1:.F*t
1.6.14 USING THE SERVICES OF OTHER AUDITORS
AND EXPERTS
Due to the scarcity ofIS auditors and the need for IT security
specialists and other subject matter experts to conduct audirs of
highly specialized areas, the audit department or auditors enfusted
with providing assurance may require the services of other auditors
or experts. Outsourcing of IS assurance and security services is
increasingly becoming a common practice. External experts could
include experts in specific technologies such as netw.orking,
automated teller machine (ATM), wireless, systems inregration
and digital forensics, or subject matter experts such as specialists
in a particular industry or area ofspecialization such u. bu.rking,
securities trading, insurance, legal experts, etc.
When a part or all ofIS audit services are proposed to be
outsourced to another audit or external service provider, the
following should be considered with regard to using the services
ofother auditors and experts:
. Restrictions on outsourcing ofaudit/securify
services provided
by laws and regulations
. Audit charter or contractual stipulations
. Impact on overall and specific IS audit objectives
. Impact on IS audit risk and professional liability
. Independence and objectivity ofother auditors and experts
. Professional competence, qualifications and experience
. Scope ofwork proposed to be outsourced and approach
. Supervisory and audit management contols
'Method andmodalities of communication ofresults of audit work
. Compliance with legal and regulatory stipulations
. Compliance with applicable professional standards
CISA Beview Manual 2Ol4
ISACA. AU Bights Beserved.
|-

(Asf,[mlmro* Chapter l-The process of Auditing lnformation Sysferns

\-/;;t* Section Tvvo: Content

assignment' the following mav also require cAArs also enabre IS auditors to gatherinformation
i1x::ft:Ta:1}fff independentry

:f"':Ii*$f:**:nr*:***checks ;#*xffiiTixffiAf:,ffi;ffi:it3ffilffij;;-,.,
' conridentiari,v..'iiJ"* to protect customer-rerated inrormation
' other tools to be used uv tt .*t"*ui;il"
ilifl:TJillH:";T,|jiffi:Til"::ltxl?1xf*#*{*:;
ffi::ffi"and " ;;'t;;r r*r..**ce on findings generated.
. Standards and methodologies
for perforrnance of work and CAAIs. include many types of tools.and techliques
documentation such as
. Nondisclosure agreements generalized audit software (GAS), uiitity
soft*a.e, debugging
and scanning software, test data, application
software tracing and
mapping, and expert systems.
The IS auditor or entit5r outsourcing the services
should monitor
the relationship to ensure the objeJtivif, and
independence GAS refers to standard software that has the
throughor.rt the duration of the arrangeri-rent. capability to
directly read and access data from various dataiase
platforms,
It is important to understand that often, even though
flarfile systems and ASCII formats. GAS provides
IS auditors
a part of an independent means to gain access to
or the whole of the audit work may be delegated data for analysis and
tian external the ability to use highJevel, problem_solving
service provideq the related professionar tia'uitity sodvare to
is not necessarily invoke functions to be performed on data fitis.
delegated. 'fherefore, it is the responsibility features include
of tt e-is uudto. o. mathematical computations, stratification,
entity employing the services of extemal service statistical analysis,
providers to: se-quence checking, duplicate checking
. Clearly communicate the and recomputations. The
audit objectives, s"o'pe unO Ioltowlng functions are commonly supported
methodology through a formal engagement by GAS:
. Put in place a monitoring ljter. . File access-Enables the
process ioir"gular review of the reading of differenirecord formats
work of the external service provider wIh regard and file skuctures
to pianning, . File reorganization-Enables
supervision, review and documentation. For indexing, sorting, merging and
Ixample, review of
the work papers of other IS auditors o. linking with another file
io the . Data selection-Enables
wolk wa9 appropriately planned, superuised, "*p"a,documented
"onfirm global filtration conditions ancl
and
reviewed, and to consider the appropriateness selection criteria
and sufficiency of
the.audit evidence provided; oi."uie* oftn...fo.t . Statistical fu nctions-Enables
ofother IS sar_npling, stratification and
auditors or experts to confirm the scope frequency analysis
specifiia in the audit
charter, terms of reference or letter of . Arithmetical functions_Enables
has been met, arithmetic operators
that any significant assumptions us.a "ngugaan"nt
Uy"otiei IS auditors or and functions
experts have been identified" and the findings
and conclusions
reported have been agreed on by managemeit. The effective and efflcient use ofsoftware
. Assess the usefulness requires an
and appropriatenlss of reports of such understanding of its capabilities and limitations.
external providers, and assess the impact
ofsignificant findings
on the overall audit objectives. Utility software isa subset of software_such as report generators
of the database management system_that provides
evidence to
auditors about system control Lffectivenor.
auditors using a sample set of data to assess
t.t our, rnvolve the
whettrer logic errors
exist in a program and whether the program
*""r" i,, objectives.
The review of an application system will provide
information about
mternal controls built in the system. The
audit_expert system will
give direction and valuable information
levjs of auOitors
to ail
1.6. 15 C0MPUTER-ASS|STED AUDTT while carrying out the audit because the qu".y_Uur"J
TECHNTQUES ryrtem is built
on the knowledge base of the senjor
During ttre course of an audit, the IS auditor auditors; m;agers.
is to obtain sufficien!
relevant and useful widence to effectively
achievethe audit These toolsand techniques can be used
objectives. The audit findings ana conctusions,t.rfO in performing various
U" supported audit procedures:
by appropriate analysis and interpretatron
oitrr" *ioence. Tbday,s . Tests crfthe details
oftransactions and balances
info. 11tion-grocessing
environments p"* rig.n.ant challenge . Analytical review procedures
to the IS auditor to collect sufficien! relevant.iJ*"n
" . Compliance tests
f evidence of IS general controls
since the evidence may onJy exist ln etecnonic . Compliance tests
fo.m. of IS application controls
are important tools for the IS auditor in gathering
'Y.*.t and operating system (OS) vulnerability assessments
9lATr . Penetration testing
information from these environments. When sysiems . Application
have security testing and source code security
different hardware and software environments] scans
dutu r*"*"r,
record-formats or processing functions, it is almost
impossible for The IS auditor should have a thorough understanding
the auditors to collect certain evidence without
a software tool to
ofCAAIs,
and know where and when to apply ihem. pt"a""
collect and analyze the records. i"ru. to C:,
ISACA Guideline on Computer Assisted Audit
Techniques.

CISA Review Manual 2Ol4

ISACA. All Rights Reserved- 57
Section Two: Content chapter l*The Proeess of Auditing lnformation sysfems
An IS auditor should weigh the costs and.benefits of CAATs
before going through the effort, time and:expense ofpurchasing
or developing them. Issues to consider include:
. Ease of use, both for existing and future audit staff
. Training requirements
. Complexity of coding and maintenance.
. Flexibility of uses
. Installation requirements
. Processing effrciencies (especially with a PC CAAT)
. Effortrequired to bringthe source data into the CAAIs for analysis
. Ensuring the integdty of imported data by safeguarding its
authenticity
. Recording the time stamp of
!lata downloaded at critical
processing points to sustain fne credibility of the review
. Obtaining permission to install the softlyare on the
auditee seryers
. Reliability of the software
. Confidentiality of the data being processed
When developing CAAIs, the following are examples of
documentation to be retained:
. Online reports detailing high-risk issueq for review
. Commented progftrm listings
. Flowcharts
. Sample reports
. Record and file layouts
. Field definitions
i
. Operating instructions
. Description of applicable source documents
CAATs documentation should be referenced to the audit progranr,
and clearly identifo the audit procedures and objectives being served
When requesting access to production data for rse with CAATs, the
IS auditor should request read-o$y access. Any daa manipulation
by the IS auditor should be applied to copies ofproduction files
in a conkolled environmentto ersure thatproduction data are not
exposed to unauthorized updating. Most of the CAATs provide for
downloading production data from production systems to a standalone
platrorm and then conducting analysis fromthe standalone platforrry
thereby insulating the production systems fro.m any adverse impact.
CAAIs as a Cont nuous Onllne Audllf;pproach
An increasingly important advantage of CA,{Is is the ability
to improve audit efficiency through continuous online auditing
techniques. To this end, IS auditors must develop audit techniques
that are appropriate for use with advanced computerized systems.
In addition, they must be involved in the creation of advanced
systems at the earty stages of development and implementation,
and must make greater use of automated tools that are suitable for
their organization's automated environment. This takes the form
of the continuous audit approach. (For more detailed information
on continuous online auditing, see chapter 3, Information Systems
Acquisition, Development and knplementation.)
1.6.16 N'ALUATION OF STRENGTHSAND
WEAKNESSES
The IS auditor will review evidence gath-ered during the audit
to determine if the operations reviewed are well contolled
and effective. This is also an area that reqi,rires the IS auditorh
58
/h
\-/;;k-
ss"Hrlimo-
judgment and experience. The IS auditor should assess the
strengths and weaknesses ofthe controls evaluated and then
determine if they are effective in meeting the control objectives
established as part ofthe audit planning process.
A contol matrix is often utilized in assessing the proper level of
controls. Known types oferrors that can occur in the area under
review are placed on the top axis and known contols to detect or
correct errors are placed on the side axis. Then, using a ranking
method, the matrix is filled with the appropriate measurements.
When complete( the matrix will illustrate areas where controls
are weak or lacking,
In some instances, one skong control may compensate for a
weak control in another area. For example, if the IS auditor
finds weaknesses in a system's transaction error report, the IS
auditor may find that a detailed manual balancing process over all
transactions compensates for the weaknesses in the error report.
The IS auditor should be aware of compensating controls in areas
where conkols have been identified as weak.
While a compensating control situation occurs when one stronger
control supports a weaker one, overlapping controls are two
strong conkols. For example, if a data center employs a card
key system to control physical access and a guard inside the
door requires employees to show their card key or badge, pn
overlapping control exists. Either control might be adequate to
restrict access, but the two complement each other.
Normally, a control objective will not be achieved by considering
one control adequate. Rather, the IS auditor will perform a
variety of testing procedures and evaluate how these relate to one
another. Generally a group ofcontrols, when aggregated together,
may act as compensating controls, and thereby minimize the risk.
An IS auditor should always review for compensating controls
prior to reporting a conkol weakness.
The IS auditor may not find each conhol procedure to be in
place but should evaluate the comprehensiveness ofcontrols by
considering the strengths and weaknesses ofcontrol procedures.
lud$ln$, the Matefiallty of Flndlngs
The concept of materiality is a key issue when deciding which
findings to bring forward in an audit reporl Key to determining
the materiality of audit findings is the assessmeht of what would be
significant to different levels of management. Assessment requires
judging ttre potential effect ofthe finding if corrective action is not
taken. A weakness in computer security ptrysical access controls at a
remote distributed computer site may be significant to management
at the site, but will not necessarily be material to upper management
at headquarters. However, there may be other matters at the remote
site ttrat would be material to upper management.
The IS airditor must use judgment when deciding which findings
to present to various levels of management. For example, the
IS auditor may find that the transmittal form for delivering
tapes to the offsite storage location is not properly initialed
or authorization evidenced by management as required by
procedures. If the IS auditor fmds that management otherwise
pays attention to this process and that there have been no
CISA Review Manual 2Ol4
ISACA. All Bights Reserved-
@ 8ilm,:ffii}"l* chapter t-Theprocess of Auditins Inforrnation Sysferns
\./ -'.--;"-,*
problems in this area, the IS auditor may decide that the failure
to initial transmittal documents is not material enough to bring to
the attention of upper management. The IS auditor might decide
to discuss this only with local operations management- However,
there may be other control problems that will cause the IS auditor
to conclude that this is a material error because it may lead to
a larger control problem in other areas. The IS auditor should
always judge which findings are material to various levels of
management and report them accordingly.
I.6.L7 COMM UNICATING AUDIT RESULTS
The exit interview, conducted at the end ofthe audit, provides
the IS auditor with the opporhrnity to discuss findings and
recommendations with management. During the exit interview,
the IS auditor should:
. Ensure that the facts presented in the report are correct
. Ensure that the recommendations are realistic and cost-
effective, and ifnot, seek alternatives through negotiation
with auditee management
. Recommend implementation dates for agreed on
recommendations
The IS auditor will frequently be asked to present the results
of audit work to various levels of management- The IS auditor
should have a thorough understanding ofthe presentation
techniques necessary to communicate these results.
Presentation techniques could include the following:
' Executive summary-An easy-to-read, concise report that
presents findings to management in an understandable manner.
Findings and recommendatiors should be communicated fiom a
business perspective. Detailed attachments can be more technical
in nahre since operations management will require the detail to
correct the reported situations.
. Visual presentation-May include slides or computer graphics.
IS auditors should be aware that ultimately they are responsible
to senior management and the audit committee of the board
of directors. IS auditors should feel free to communicate
issues or concerns to such management. An attempt to deny
access by levels lower than senior management would limit the
independence of the audit firnction.
Before communicating the results of an audit to senior
management, the IS auditor should discuss the findings with
the management staffof the audited entity. The goal olsuch
a discussion would be to gain agreement on the findings and
develop a course of corrective action. [n cases where there is
disagreement, the IS auditor should elaborate on the significance
ofthe findings, risks and effects ofnot correcting the control
weakness, Sometimes the auditee's management may request
assistance flom the IS auditor in implementing the recommended
control enhancements. The IS auditor should corirmunicate the
difference between the IS auditor's role and that of a consultant,
and give careful consideration to how assisting the auditee may
adversely affect the IS auditor's independence.
Once agreement has been reached with the auditee, lS audit
management should brief senior management of the audited
organization. A summary of audit activities will be presented
CISA Beview Manual 2Ol4
ISACA. All Rights Reserved.
Section Two: Content
periodically to the audit committee. Audit committees typically
are composed of indivitiuals who do not work directly foi the
-
organization, and thus provide the auditors with an independent
route to report sensitive findings,
Audit Report Structure and Contents
Audit reports are the end product ofthe IS audit work. They are
used by the IS auditor to report findings and recommendations
to management. The exact format of an audit report will vary by
organization; howeveq the skilled IS auditor should understand
the basic components of an audit report and how it communicates
audit findings to management.
Noie:' .The crsat,ca;Uiti;ffi j
ISACA 57 Repo Lng and 58 Folto;-rf aCtiuitim
There is no specific format for an IS audit report; the
organization's audit policies and procedures will dictate the
general format. Audit reports will usually have the following
structure and content:
. An introduction to the report, including
a statement of audit
objectives, limitations tc the audit and scope, the period of audit
coverage, and a general statement on the nafure and extent of
audit procedures conducted and processes examined during the
audit, followed by a statement on the IS audit methodology and
guidelines
. A good practice is to include audit
findings in separate sections.
These findings can be grouped in sections by materiality and./or
intended recipient.
. The IS auditor's overall conclusion and
opinion on the adequacy
of controls and procedures examined during the audit, and the
actual potential risks identified as a consequence ofdetected
deficiencies
. The IS auditor's reservations or quaiifications
with respect to the
audit-This may state that the controls or procedures examined
were found to be adequate or inadequate. The balance ofthe
audit report should support that conclusion and the overall
evidence qathered during the audit should provide an even
greater level ofsupport for the audit conclusions.
. Detailed audit findings and recommendations-The IS auditor
would decide whether to include specific findings in an audit
report. This should be based on the materiality of the findings and
the intended recipient of the audit report. An audit report directed
to the audit committee of the board of directors, for example, may
not include findings that are important only to local management
but have little control significance to the overall organization.
The decision of what to include in various levels of audit reports
depends on the guidance providedby uppermanagemenl
. A variety of findings, some of
which may be quite material
while others are minor in nature. The auditor may choose to
present minor findings io management in an altemate format
such as by memorandum.
The IS auditor, however, should make the finat decision about
what to include or exclude from the audit report. Generally, the
IS auditor should be concerned with providing a balancedreport,
describilg 116t only negative issues interms oifindings but -
positive constructive corninents regarding improving processes
and conhols or effective controls already in place. Ovirall, the IS
auditor should exercise independence in theieporting process.
59
 Section Two: Content Chapter l-The process of Auditing lnformation
Auditee management evaluates the findings, stating corrective
actions to be taken and timing for implementing these anticipated
corrective actions.
Management may not be able to implement all audit
recommendations immediately. For example, the IS auditor
may recommend changes to an information system that is
also undergoing other changes or enhancements. The IS
auditor should not necessarily expect that the other changes
ti
will be suspended until the auaitor,s recommendations are
implemented. Rather, all may 6e implemented at once.
The IS auditor should discuss the recommendations and any
planned implementation dates while in the process of releasing
the audit report. The IS auditor must realize that various
constraints-such as stafflimitations, budgets or other projects_
may limit immediate implementation. Management should
develop a firm program for corrective actions. It is important to
obtain a commiftnent from the auditee/management on the date
by which the action plan will be implement"i
itt solution can be
"
something which takes a long time for implementation) and the
manner in which it will be performed since the corrective action
may bring certain risks that may be avoided if identified while
discussing and finalizing the audit reporr. Ifappropriate, the IS
auditor may want to report to upper manage-"rt oo the:progress
of implementing recommendations.
ISACA IS auditing standard 57 and the ISACA IS Auditing
Guideline on Reporting (G20) state that the report should include
all significant audit findings.
the IS auditor should describe
$en a frnding iequires explanation,
$e finding, its cause and risk.
When appropriate, the IS audit6r should provide the explanation
in a separate document and make reference to it in the report. For
example, this approach may be appropriate for highly confidential
matters. The IS auditor should also identifo the organizational,
professional and governmenral criteria applied ,uCh us COBIT. The
report should be issued in a timely manner to encourage prompt
corrective action. When appropriate, the IS auditor should promptly
communicate sigrrificant findings to the appropriate persons prior
to the issuance of the report. prior communication of significant
findings should not alter the intent or content ofthe report.
1.6. 18 MANAGEMENT IM PTEMENTATION OF
RECOMMENDATIONS
IS auditors should realize that auditing is an ongoing process.
The IS auditor is not effective if audits are performed and reports
issued, but no follow-up is conducted to deiermine whether
management has taken approliiate corrective actions. IS auditors
should have a follow-up proglam to determine if agreed on
corrective actions have been implementld. Although IS auditors
who work for external audit firms may not n"".rrurily follo*
this.process, they may achieve these tasks if agreed to by ttre
audited entity.
The timing of the follow-up will depend on the criticaliry of rhe
findings and would be subject to the IS auditor,s judgment. The
60
Systems (4ff$m'mi*:*
\-/;***
results o^f the follow-up should be communicated to appropriate
Ievels ofmanagement.
The level of the IS auditor's follow-ui review will depend on
several factors. In some instances, the IS auditor may merely
need to inquire as to the current status. In other instances, the
IS auditor who works in an internal audit firnction may have to
perform certiain audit steps_to determine whether the corrective
actions agreed on by management have been implemented.
1.6. 19 AUDIT DOCUMENTATION
Audit documentation should include, at a minimum,
a record ofthe:
. Planning and preparation ofthe audit
scope and objectives
. Description and/or walkthroughs on the scoped audit area
. Audit program
. Audit steps performed and audit
evidence gathered
. Use of services of other auditors and experts
. Audit findings, conclusions
and recommendations
. Audit documentation relation
with document identification
and dates
It isalso recommended that documentation include:
. A
copy ofthe report issued as a result ofthe audit work
. Evidence ofaudit supervisory review
Documents should include audit information that is required by
laws and regulations, contrachral stipulations and professional
standards. Audit documentation is the necessary evidence
supporting the conclusions reached, and hence should be clear,
complete, easily retrievable and sufficiently comprehensible.
Audit documentation is generally the property oithe auditing
entity and should be accessible only to authorized personnel
under specific or general permission. Where access to audit
documentation is requested by extemal parties, the auditor should
obtain appropriate prior approval of senior management and legal
counsel.
The IS auditor/IS audit deparrment should also develop policies
regarding custody, retention requirements and release of audit
documentation.
The docuinentation format and media are optional, but due
diligence and best practices require that work papers are dated,
initialed, page-numbere( relevant, complete, ilear, self_contained
and proped labeled, filed and kept in custody. Work papers
may be automated. IS auditors should particularly consider how
to maintain integrity and protection of audit test evidence to
preserve their proofvalue in support ofaudit results.
Audit documentation or work papers can be considered the bridge
or interface between the audit objectives and the final report.
They should provide a seamless transition_with traceability
and accountability-from objectives to report and from ."port
to
objectives. The audit report, in this context, can be viewed^as
a set
of particular work papers.
CISA Review Manual 2Oi4
ISACA. All Rights Beserved.
(AsHH.[m:.,* Chapter |-The Process of Auditing lnformation Sysfems
\-,/;**;-
Audit documentation should support the finding and
conclusionVopinion. Time of evidence sometimes will be crucial
to supporting audit findings and conclusions. The IS auditor
should take enough care to ensure that the evidence gathered
and documented will be able to support audit findings and
concluSions. An IS auditor should be able to prepare adequate
working papers, narratives, questionnaires and understandable
system flowcharts.
IS auditors are a scarce and expensive resource. Any technology
capable of increasing the audit productivity is welcome.
Automating work papers affects productivity directly and
indirectly (granting access to other auditors, reusing documents
or parts of them in recurring audits, etc.).
The quest for integrating work papers in the auditor's e-environment
has resulted in all major audit and project management packages,
CAAIs and expert systems offering a complete array ofautomated
documentation and import-export features.
ISACA IS audit and assurance standards and guidelines set
forth many specifications about work papers, including how to
use thoseof other auditors (previous or contractors); the need
to document the audit plan, program and evidence; or the use
of CAAIs or sampling (Gl Using the Work of OtherAuditors,
G2 Audit Evidence Requirement, G3 Use of Computer-assisted
AuditTechniques (CAAIs) and G8 Audit Documentation).
1.7 CONTROL SETF.ASSESSMENT
Control self-assessment (CSA) is an assessment of conhols made
by the staffand management of the unit or units involved. It is a
management technique that assures stakeholders, customers and
other parties that the intemal control system of the organization
is reliable. It also ensures that employees are aware ofthe risks
to the business and they conduct periodic, proactive reviews
of controls. It is a methodology used to review key business
objectives, risks involved in achieving the business objectives
and internal controls designed to manage these business risks in a
formal, documented collaborative process.
In practice, CSA is a series of tools on a continuum of sophistication
ranglng from simple questionnaires to facilitated workshops,
designed to gather information about the organization by asking
those with a day-to{ay working knowledge of an area as well as
their managers. The basic tools used during a CSA project are the
same whether the project is technical, financial or operational, These
tools include management meetings, client workshops, worksheets,
rating sheets and the CSA project approach. Like the continuum of
tools used to gather information, there are diverse approaches to the
levels below management that are queried; some organizations even
include outsiders (such as clients or trading parhrers) when making
CSA assessments
The CSA program can be implemented by various methods. For
small business units within organizations, it can be implemented
by facilitated workshops where functional management and contol
professionals such as auditors can come together and deliberate how
best to wolve a control struchfe for the brsiness unit,
CISA Review Manual 2O14
ISACA. Al! Rights Reserved.
Section Two: Content
In a workshop, the role of a facilitator is to support the
decision-making process- The facilitator creates a supportive
environment to help participants explore their own experiences
and those ofothers, identify co_ntrol strengths and weaknesses,
and share their knowledge, ideas and concerns. If appropriate,
a facilitator may also offer his/her own expertise in addition to
facilitating the exchange ofideas and experience. A facilitator
does not have to be an expert in a certain process or subject
matter; however, the facilitator should have basic skills such as:
. Active listening skills and the ability to ask good questions,
including questions that probe the topics and move the
discussions forward.
. Good verbal communicbtion skills, including the ability to
pose questions in a nonthreateningmanner and the ability to
summarize material. I
. The ability to manage the dynamics of the group,
including
managing various personalities so that a few members do not
dominate the discusdions and managing processes so that
goals are met.
. The ability to resolve conflicts.
. The ability to manage time and keep the proceedings
on schedule.
ln the organizations with offices located at geographically dispersed
locations, it may not be practical to organize facilitated workshops.
[n this case, a hybrid approach is needed. A questionnaire based
on the control strucfure can be used. Op-erational managers can
periodically complete the questionnaire, which can be anallzed
and evaluated for effectiveness of the controls. However, a hybrid
approach will be effective only ifthe analysis and readjusknent of
the questionnaire is performed using a life cycle approach, as shown
in exhibit 1.10.
1.7.1 oBJECTTVES 0F CSA
There are several objectives associa(ed with adopting a CSA
program. The primary objective is td leverage the internal
audit function by shifting some of the conkol monitoring
responsibilities to the functional areas. It is not intended to
replace auditb responsibilities, but to enhance them. Auditees
such as line managers are responsible for controls in their
environment; the managers also should be responsible for
monitoring the controls. CSA programs also must educate
management about control design and monitoring, particularly
concentration on areas ofhigh risk. These programs are not
just policies requiriag clients to comply with conkol standards-
Instead, they offer a variety of support ranging from written
suggestions outlining acceptable control environments to in-depth
workshops. When wcrkshops are included in the program, an
additional objective.-the empowennent of workers to assess or
even design the conhol envirorunent-may be included in the
program.
When employing a CSA progftm, measures of success for each
phase (planning, implementation and monitoring) should be
developed to determine the value derived from CSA and its future
use. One critical success factor (CSE) is to conduct a meeting
with the business unit representatives (including appropriate and
relevant staffand management) to identiff the business unit,s
primary objective-to determine the reliability of the internal
control system. In addition, actions that increase the likelihood of
achieving the primary objective should be identified.
61
 Section Two: Content l-The
ChVpter process of Auditing lnformation sysrems (fu BffxHffi,#*
\-/;;k-

I
o st
6'
5 €
$
=
a =
@
o
E
o
a D
o= =
=.
G

A generic set ofgoals and metrics for eagh process, which

can 1,7.3 DISADVANTAGES OF CSA
be used in designing and monitoring the'Cde program,
has been
CSA does potentially contain several disadvantages
which include:
. It could be mistaken as an
audit function repficement
COBIT is . It may be regarded as an
a govemance and control framervork that provides additional workload (e.g., one more
g*!1n:" in the development of the conhol assessment method. to be submitted to management)
could develop a CSA method by identifying the tasks
One . lep_ort
Failure to act on improvement suggestions could
and processes damage
that are relelant to the business environmg;t, employee morale
and then defining
the contols forrelevant activities. A CSAfiuestionnaire . Lack of motivation may limit
can be effectiveness in the detection of
developed using the statements in the relevant weak controls
conbol objectives
ofthe identified ITprocesses. Various components oftfri
COSIT
fram3work such as input-ouput matrix, RACI chart, goals 1.7.4 AUDITOR ROLE IN GSA
and
metigs, and mahrity model can be converted in thoform The auditor's role in CSAs should be considered
of a CSA enhanced when
questionnaire to assess each ofthe areas as required.
audit departrnents establish a CSA prggram.
When these progra.ms
are established, auditors become internal control
professionals and
1.7.2 BENEFITS OF CSA assessment facilitators. Their value
in this role is evident when
Some of the benefits of a CSA include the following: management takes responsibility and ownership
for intemal control
. Early detection of risks systems under their authority through process
improvements in thei
. More effective and improved conhol structures, inciuding an active monitoring
internal controls component.
. Creation of cohesive teams
through employee involvement
. Developing a sense For an auditor to be effective in this facilitative
of ownership of *re controts in the and innovative role,
employees and process owners, and reducing their the auditor must r.mderstand the business process
resistance to being assessed.
control improvement initiatives This can b€ attained via traditional audit iools such
as a preliminary
. Increase,d employee awareness surv-eV yfk-through. Also, the auditors must remember that they
oforganizational objectives, and 9r
knowledge of risk and internal connols are the facilitaton and the r
. lncreased communication cSA process. ro,.
management
between operational and top
"*u-pr.ffi ;TEIX'il.i:ff :*,H;:.fty.
auditor performing detailed audit procedures, th"
arr&to. will l"uO
. Higtrly motivated employees and guide the auditees in assessing their environment
by providing
. Irnproved audit rating process insight about the objectives ofcontrols based on risk
assessment.
. Reduction in conftol cost The managers, with a focus on improving tlre productivity
of the
. Assurance provided
to stakeholders and customers proceT, might suggest replacement ofpreventire
conhols. In this
. N^ecessary assurance givento
top managiment about the adequacy
ca13, thlau$tor is betterpositioned to ixplain the risks associated
ofintemal as required by the virious regulatory agencies with such changes,
and laws such as the US Sarbanes-OxleyAct

62
CISA Review Manual 2Ot4
ISACA. All Rights Beserved.
thg#.H"*H,"' Chapter l-The Process of Auditing lnformation Systerns
\-/*k-
1.7.5 TECHNOTOGY DRIVERS FOR CSA
The development of techniques for empowerment, information
gathering and decision making is a necessary part of a CSA
program implementation. Some of the technology drivers
include the combination of hardware and software to support
CSA selection, and the use of an elechonic meeting system and
computer-supported decision aids to facilitate group decision
making. Group decision making is an essential component of a
workshop-based CSA where employee empowerrnent is a goal. tn
case of a questioruraire approach, the same principle applies for
the analysis and readjustment of the questionnaire.
1.7.6 TRADITIONAL VS. CSA APPROACH
The traditional approach can be summarized as any approach in
which the primary responsibility for analyzing and reporting on
internal control and risk is assigned to auditors, and to a lesser
extent, controller departments and outside consultants. This
approach has created and reinforced the notion that auditors and
consultants, not management and work teams, are responsible for
assessing and reporting on internal control. The CSA approach,
on the other hancl emphasizes management and accountability
over developing and monitoring internal controls of an
organization's sensitive and critical business processes.
A summary of attributes or focus that distinguishes each from the
other is described in exhibit 1.11.
T.8 THE EVOLVING IS AUDIT PROCESS
The IS audit process must continually charige to keep pace with
innovations in technology. Topics to address these evolving changes
include areas such as integrated auditing and continuous auditur[.
1.8. 1 INTEGRATED AUDITING
Dependence of business processes on information technology
has necessitated that traditional financial and operational auditors
develop an understanding of IT control skuctures, and IS auditors
develop an understanding of the business conkol structures.
Integrated auditing can be defined as the process whereby
appropriate audit disciplines are combined to assess key intemal
controls over an operation, process or entity.
The integrated approach focuses on risk. A risk assessment aims
to understand and identify risks arising from the entity and its
environmen! including relwant intemal controls- At this staga the
role ofIT audit is typically to understand and identifr risks under
CISA Review Manual 2O14
ISACA. All Rights Reserved.
Section Two: Content
topical areas such as infonnation management, IT infrastrucu.re,
IT govemance and IT operations. Other audit specialisb will seek
to understand the organizational environmen! business risks and
business conhols. A key element ofthe integrated approach is
discussion of the risks arisrrg am6ng the whole audiiteam, with
consideration of impact and likelihood.
Detailed audit work then iocuses on the relevant controls in place
to manage these risks. IT systems frequently provide a first line
ofpreventive and deteltive controls, and the integrated audit
approach depends on a sound assessment of their efficiency
and effectiveness.
The iategrated audit process typically involves:
. Identification ofrisks faced by the organization for the
area being audited
. Identification ofrelevant key controls
. Review and understanding ofthe design ofkey controls
. Testing that key controls are supported
by the IT system
. Testing that management controls
operate effectively
. A combined report or opinion on control
risks, design
and weaknesses
The integrated audit demands a focus on business risk and a &ive
for creative conhol solutions. It is a team effort of auditors with
different skiJl sets- Using this approach.permits a single audit of
an entity with one comprehensive report. An additional benefit
is that this approach assists in staffdevelopment and retention
by providing greater variety and the ability to see how all ofthe
elements (functional and IT) mesh together to form the complete
pichre. See exhibit 1.12 for an integrated auditing approach.
The integrated audit concept has also radically changed
the manner in which audits are looked on by the different
stakeholders. Employees or process owners better understand
the objectives ofan auditas they are able to see the linkage
between controls and audit procedurbs. Top management better
understands the linkage between increased control'effectiveness
63
 Section Tiruo: Content Chapter |-The Process of Auditing lnformation Systems
and corresponding improvements in the alrocation and utilization
ofIT resources. Shareholders are able to better understand
the linkage between the push for a greater degree ofcorporate
governance and its impact on the generation of financial
statements that can be relied oB. All these developments have led
to greater impetus for the groWint populgty of integrated audits
1.8.2 CONTINUOUS AUDITING
The focus on increased effectiveness and efficiency ofassurance,
internal auditing and conhol has spurred the development ofnew
studies and examination ofnew ideas concerning continuous
auditing as opposed to more traditional periodic auditing reviews.
Several research studies and documents addressing the subject
carry different definitions of continuous auditing. AII studils,
however, recognize that a distincrive character of continuous
auditing is the short time lapse berween the facts to be auditd
the collection ofevidence and audit reporting.
Traditional financial reports and the traditional audit style sometime
prove to be insufficient because they lack the essential element in
today's business environment-updated information. Therefore,
continuous auditing appears to pe gaining more and more followers.
Some of the drivers of continuous auditirg are a better monitoring
of financial issues within a company, enSuring that real_time
transactions also benefit from real,time monitoring, prevention of
financial liaud and audit scandals such a's Enron and WorldCom,
and the use of software to determine that financial controls are
proper. Continuous auditing involves a large amount of work
because the company practicing continuous auditing will not
provide one report at the end ofa quarter, but will provide
financial reports on a more frequent basis. Audit functions in
organizations that use ERP platforms are increasingly using
automated governance, risk and compliance (GRC) tools, which
flag transactions that meet predefineri criteria on a real_time basis.
These tools are set up at the database level and pull data that meet
the predefined criteria. Such data may include purchase invoices
that have the same or similar address as that of an employee.
The advantage of using these tools is that voluminous data are
analyzed at a high speed to highlight relevant pattems of data that
may be of interest to the auditors.
Continuous auditing is not a rdcent development. Traditional
application systems may contain embedded audit modules. These
would allow an auditor to hap predefined'types ofevents, or to
directly inspect abnormal or suspect conditions and hansactions.
Most current commercial applications could be customized with
such feafures. However, cost and other considerations and the
technical skills that would be required to establish and operate
these tools tend to limit the usage of embedded audit modules to
specific fields and applications.
64
Gses*xmiilP,
\-/*ffi-
To properly understand the implications and requirements
of
continuous auditing, a clear distinction has to bi made between
continuous auditing and continuous monitoring:
. Continuous monitor.ing-provided by
IS management
tools and typically based on automated procedures to meet
fiduciary responsibilities. For instance, real-time antivirus or
intrusion detection systems (IDSs) may operate in a continuous
monitoring fashion.
. Continuous auditing-'iA. methodology
that enables
independent auditors to provide written assurEmce on a subject
matter using a series of auditors, reports issued simultaneously
with, or a short period of time afteq the occurrence of events
under$ing the subject matter,,(from DeWayre L. Searcy
and Jon B. Woodroof; "Continuous Auditing: Leveraging
Technology," CICA/AICPA research report, IMay 200j).
Continuous IS (and non-IS) auditing is typically completed
using automated audit procedures.
continuous auditing should be independent of continuous control
or monitoring activities. When both continuous monitoring and
auditing take place, continuous assurance can be established. In
practice, continuous auditing is the precursor to management
adopting continuous monitoring as a process on a day+o_6ay
basis. Often, the audit function will hand over the tectrnlques
used in continuous auditing to the business, who will then run the
continuous monitbring. This collaboration hbs lead to increased
appreciation among process owners of the value that the riudit
flrnction brings to the organization, leading to greater confidence
and trust between the business and auditors. Nevertheless, the
lack of independence and objectivity inherent in continuous
monitoring should not be overlooked, and continuous monitoring
should never be considered as a substitute for the audit function.
Efforts on the subject of continuous auditing often incolporate
new IT developments, increased processing capabilities ofcurrent
hardware and software, standards, and artificial intelligence (AI)
tools. Continuous auditing attempts to facilitate the collection
and analysis of data at the moment of the transaction. Data must
be gathered fiom different applications working within different
environments, kansactions must be screened, the transaction
environment has to be analyzed to detect trends and exceptions,
and atypical pattems (i.e., a transaction with significantly higher
or lower value than typical for a given business partner) musi
be exposed. If all of this must happen in real time, perhaps even
before final sign-offof a transaction, it is mandatory to adopt and
combine various topJevel IT techniques. The IT environment is a
natural enabler for the apprication ofcontinuous auditing because
of the intrinsic automated nature of its underlying processes.
Continuous auditing aims to provide a more secure platform to
avoid fraud and a real-time process aimed at ensuring a high_level
offinancial control.
Prerequisites/preconditions for continuous auditing to
succeed include:
. A high degree of automation
. An automated and highly reliable process in producing
information about subject mitter soon after or duringihe
occurrence of events underlying the subject matter
. Alarm triggers to report timely control failures
CISA Review Manual 2Ol4
ISACA. All Rights Reserved.
l

(tmm*
\-/;;t;-
Chapter l-The process of Auditing lnformation Systerns
Section Two: Content

. Implementation of highly
automated audit tools that require the reduce possible or intrinsic auait ineilciencies
IS auditor to be involved in setting up the parameters such as delays,
planning time, inefficiencies of the audit process,
' Quickly informing IS auditors of the resutl of automated overhead due
to work segmentation, multiple quality oisupervisory
procedures, particularly when the process has reviews, or
identified discussions conceming the vatidity oi n"ai"gr.
anomalies or errors
'3i tgl"1. and timely issuance of automated audit reports Full top management support, dedication and extensive
. Technically proficient
IS auditors experience and technical knowledge are all necessary to
. Availability ofreliable
sources ofevidence accomplish continuous auditing, while minimizing the
. Adherence to materiality
guidelines impact on
the underlying audited business processes. fne ariiting
. A change of mindset required
for IS auditors to embrace tayrs
and settings may also need continual adjustrnent
continuous reporting ana upaatng.
B,esides difficulty and cost, continuous auditing
. Evaluation ofcost factors has an inherent
disadvantage in that internal conkol experts ani auditors
might
be resistant to trust an automated tool in lieu of their personal
Simpler continuous auditing and monitoring tools are already judgment and evaluation. Also, mechanisms
built into many enterprise resource planning (ERp) packagei have to be put in
place to eliminate false negatives and false positives
and most operating system and network,"*;ty puikug.r. in the reports
generated by such audits so that the report generated
These environments, if appropriately configured and populated continues to
inspire stakeholders'confidence in the a"c,i.acy ofthe
with rules, parameters and formulas, report.
oJput
"u,actuai data.
lists on request while operating against "^".ption
tir.."io.", The implementation of continuous auditing involves
they represent an instance ofcontinuous auditing. many
The difficult factors; however, the task is not impossiblJ There is
but sigruficant added value to using these featurls i. ,frurit.y an
increasing desire to provide auditing.over information
poshrlate a definition ofwhat would be a..dangerorx,,or in a
real-time environment (or as close to real time as possible).
exception condition For instance, whether a sel of granted
IS
access permissions is to be deemed risk_free will
depend on
having well-defined rules of segregation of duties. On
the other 1.9 CASE STUDIES
hand, it may be much harder to A."ia. if a given sequence
of
steps, taken to modifu and maintain a database record, points
to a The following case sh:dies are included as a learning tool
to reinforce
potential risk,
ttre concepts intoduced in this chapter. nxam
candiLtes should note
that the CISA exam does not currently use this format
IT techniques that are used to operate in a continuous auditrng for testing.
environment must work at all data levels_single input,
kansactiqn and databases-and include: 1.9.1 CASE STUDYA
. Transaction logging The IS auditor has becn asked to perform preliminary
work that
. Query tools will assess the readiness of the organization for a review to measure
. Statistics and data analysis (CAAT) compliance with new regulatory requirements. These
requirements
. Database management system (DBMS) are designed to ensure that managernent is taking
an active role
. Data warehouses, data marts, in setting up and maintaining a well-controlled eil.rronment,
and
data mimng
. lntelligent agents accordingly will assess management's review and testing
of the
. Embedded audit modules (EAM) general IT control environment. Areas to be
assessed include logical
. Neural network technology and physical security, change managemen! production
control and
. Standards such management, IT governance, and end-user computing. The
as Extensible Business Reporting t anguage @RL) T*o.k
IS auditor has been given six months io perform ttris preiimlnary
Intelligent software agents may be used to automate the work so sufficient time should be ar,ailable. It should be
noted
evaluation processes and allow for flexibility and dynamic that in previous years, repeated problems have
been identified
analysis capabilities. The configuration and application in the areas of logical security and change management
of so these
intelligent agents (sometimes referred to as Uoill, allows for *.*ill rylt likely require some degree of remediation. Logical
continuous monitoring of systems settings ana t[r-e security deficiencies noted included the sharing of adminishator
delivery of
alert messagbs when certain thresholds ie exceeded accounts and failure to enforce adequate
or when overpasswords.
certain conditions are met. "oruJ,
Change management deficiencies included'improper
segregation
of incompatible duties and failure to documenialfchanges.
Full continuous auditing processes have to be carefully built Additionally, the process for deploying operating system updates
into to
applications and work in layers. The auditing tools must operate servers was found to be ody partially efective. L anticipation
of the
in parallel to normal processing---capturing-real-time data, work to be performed by the iS audiioq the chief information
officer
exhacting standardized profiles or discriptors, and passing the (CIO) requested direct reports to develop narratives and process
result to the auditing layers. flows describing the major activities for which IT is responsible.

TT yo" completed, appro/ed by the various process owners and

Continuous auditing has an intrinsic edge over point-in-time the CIQ and then forwar<ied to thslS auditor foi
or examination.
periodic auditing because it caphues internal control problems
as
they occur, preventing negative effects. Implementation can
also

CISA Review Manual 2O14

ISACA, All Righte Reaerved. 65
Section Two: Content Chapter l-The Process of Auditing lnformation Sysferns
LGgHxH'xJr'#r'*
\./;*;k;-

1.9,3 CASE STUDY C

What should the lS auditor do FIRST?
A Perform an lT risk assessment.
B. Perform a survey audit of logical dccess controls.
C. Rev'se the audit plan to focus on risk-based auditing.
D. Begin testing controls that the lS auditor feels are
- the scope and responsibilities of the IS audit function and
most critical.
When testing program change management, how should the
sample be selected?
A. Change management documents should be selected at
random and examined for appropriateness.
B. Changes to production code should be sampled and traced to
appropriate authorizing documentation.
C. Change management documents should be selected based
_ on system criticality and examined for appropriateness.
D. Changes to production code should be daimpied and traced
back to system-produced logs indicating the date and time
of the change.
See answers and explanations to the case study questi}ns at the end of the
chapter (page 6n.
1.9.2 CASE STUDY B
An IS auditor is planning to review the security of a financial
application for a large company with several locations worldwide.
The application system is made up of a web interface, a business
logic layer and a database layer. The application is accessed
locally through a LAN and remotely through the Intemet via a
virtual private network (VPN) connection.
Ile MOST appropriate type of CMTs tool the auditor should
use t0 test security configuration settings for the entire
application system is: ir"
A. generalized audit software (MS).
B. test data.
C. utility software.
D. expert system.
Gjven that the application is accessed through the lnternet, how
should the auditor determine whether to perform a detailed
review of the firewall rules and VPN configuration settings?
An IS auditor has been appointed to carry out IS audits in an
entity for a period'bf 2 years. After aiCepting the appointment the
IS auditor noted that:
. The entity has an audit charter
that detailed, among other things,
specifies the audit committee as the overseeing body for
audit activity.
. The entity is planning a major
increase in IT investrnent, mai:rly
on account of implementation of a new ERp application,
integrating business processes across units dispersed
geographically. The ERP implementation is expected to become
operational within the next 90 days. The servers supporting the
business applications are hosted offsite by a third-party service
provider.
. The entity has a new incumbent
as Chief Information Security
Officer (CISO); who reporrs to the Chief Financial Offlcer (CFO).
. The entity is subject to regulatory
compliance requirements
that require its management to certifu the effectiveness of the
intemal control system as it relates to financial reporting. The
entity has been recording consistent growth over the last two
years at double the indusfy average. Ho.areveE the entity has
seen increased employee furnover as rvell.
.l
lhe FIRST priority of the lS auditor in year should be
to study the:
A previous lS audit reports and plan the audit schedule.
B. audit charter and plan the audit schedule.
C. impact of the new incumbent as ClS0.
D. impact of the implementation of a new EBp on the IT
environment and plan the audit schedule-
How should the lS auditor evaluate backup and batch
processing within computer operations?
A. Plan and carry out an independent review of
computer operations.
B. Rely on the service auditor's report of the service provider.
C. Study the contract between the entity and the
service provider.
D. Compare the service delivery report to the service
level agreement.

See answers and explanations to the case study questions at the end of the
A. Documented risk analysis
chapter (page 6Q.
B. Availability of technical expertise
C.Approach used in previous audit
D. lS auditing guidelines and best practices

During the review, if the auditor detects thatthe transaction

authorization control objective cannot be met due to a lack
of clearly defined roles and privileges in the application, the
auditor should FIRST:

A review the authorization on a sample 0f transactions.

B. immediately report this finding to upper management.
C. request that auditee management ieview the
-
appropriateness of access rights for all users.
D. use a GAS to check the integrity of the database.

See answers and explanations to the case study questjons at he end of the
chapter (page 6n.

66 CISA Review Manual 2Oi4

ISACA. All Rights Reserved.
I
(Gffirffi* Chapter ?-The process ol Auditing lnformation Sysfems
\-/*k-
1.10 ANSWERST0 cAsE sTUDy QUESTI0NS
ANSWERSTO CASE STUDYA QUESTT0NS
L the auditor should perform and document a risk- '
AI. A An IT risk assessment should be performed first
to ascertain which areas present the greatest risks
I
I
and what controls mitigate those risks. Although
narratives and process flows have been created, the
organization has not yet assessed which conhols
are critical. AII other choices would be undertaken
after performing the IT risk assessment.
42.
When testing a control, it is advisable to trace from
the item being controlled to the relevant control
documentation. When a sample is chosen from a
set of control documents, there is no way to ensure
that every change was accompanied by appropriate
control documentation- Accordingly, changes to
production code provide the most appropriate basis
for selecting a sample. These sampled
"hung.,
should then be traced to appropriate authorizing
documentation. In contrast, selecting from the
population of change management documents will
not reveal any changes that bypassed the normal
approval and documentation process. Similarly,
comparing production code changes to system_
produc"d logs will not provide evidence ofproper
approval of changes prior to their being migrated to
production.
ANSWdRS I0 CASE STUDY B QUESTTONS
Bl. C When testing the securify of the entire application
system-including operating systems, database
and application security_the auditor will most
likely use a utility software that assists in reviewing
the configuration settings. [n contrast, the auditor
might use GAS to perform a substantive testing of
data and configuration files ofthe application. Test
data are normally used to check the integrity of
the data and expert systems are used to inquire on
specific topics.
CISA Review Manual 2Ol4
ISACA. All Rights Reservad.
Section Two: Content
B.2. A In order to decide ifthe audit scope should include
specific in&astructure components (in.this case,
the firewall rules andVpN configration settings),
analysis in order to determine which sections
present the greatest risk and include these sections
in the audit scope. The risk analysis may consider
factors such as previous revisions to the system,
related security incidents within the .o*p"ry o,
other companies of the same sectors, resources
available to do the review and others. Availability
oftechnical expertise and the approach used in
previous audits may be taken into consideration;
however, these should be of secondary importance.
IS auditing guidelines and best practices prwide a
guide to the auditor on how to comply with IS
audit
standards, but by themselves they would not be
sufficient to make this decision.
83. A The auditor should first review the authorization
on a sample of transactions in order to determine
and be able to report the impact and materiality of
this issue. Whether the auditor would immediately
report the issue or v.,a:t until the end of the audit
to report this finding will depend on the impact
and materiality of the issue, which would require
reviewing a sample of transactions. The use of
GAS to check the integrity of the database would
not help the auditor assess the impact of this issue.
ANSWERS T0 cAsE STUDY C
QUESTIONS
Cl. D In terms of priority, as the implementation of the
new ERp will have far reaching consequences
on the way IS controls are configured in the
system, the IS auditor should study the impact
of implementation of the ERp and plan thi audit
schedule accordingly. preferably, the IS auditor
should discuss the audit plan with the external
auditor and the internal audit division of the entity
to make the audit more effective and useful for the
entity.
C2. D The service delivery report which captures the
actual performance ofthe service provider against
the contractually agreed on levels provides the
best and most objective basis for evaluation of
the computer operations. The Service Auditorb
Report is likely to be more useful from a contols
evaluation perspective for the external auditor of
the entity.
67
W.
&": E
l'],,'
l:'

Sorrf;on"fryor ,Coiktemt

'Page intetflondly lcif Hdilr

6a crsA Revtorn Manub i Zo t 4

ISACA. Att Rights Reserved.