1. 2016 CISA ® Review Course
Hafiz Sheikh Adnan Ahmed – CISA, COBIT 5, ISO 27001 LA
[PECB Certified Trainer]

2. Quick Reference Review
• IS Auditor Roles and associated Responsibilities
• Assurance Assignment vs Consulting Assignment
• Internal Audit Environment vs External Context
• Minimum audit planning requirements for an IS audit assignment
• ISACA Standards and ISACA guidelines for IS auditing
• Audit risk vs Business risk
• Role of audit evidence
• Compliance testing vs Substantive testing

3. 1.2 Management of the IS Audit Function
• Ensures that diverse audit tasks fulfill audit function objectives
• Preserve audit independence and competence

4. 1.2.1 Organization of the IS Audit Function
• IS audit services can be provided externally or internally
• IS audit can be part of internal audit, function as independent group, or be integrated
with other management audits
• Role of IS internal audit function should be established by and audit charter approved by
senior management
• Clearly state management responsibility
• Objectives and delegation of authority
• Scope and responsibilities of audit functions

5. 1.2.2 IS Audit Resource Management
• IS auditors to maintain their competency and proficiency

6. 1.2.3 Audit Planning
Annual Planning:
• Both short term and long term planning
Audit Universe
• Lists all the processes that may be considered for the audit
• Subject to risk assessment
• Analysis of short and long-term issues should occur at least annually

7. Individual Audit Assignments
• Each individual audit must be planned
• Must consider system implementation / deadlines; current and future
technologies

9. 1.2.4 Effect of laws & Regulations on Audit Planning
• Regardless of size and complexity of the business, every organization need to
comply with laws and regulations

10. 1.3 ISACA IS Audit & Assurance Standards
& Guidelines

11. 1.3.2 ISACA IS Audit & Assurance Standards
Framework
General
1001 Audit Charter 1002 Organizational Independence
1003 Professional Independence 1004 Reasonable Expectation
1005 Due Professional Care 1006 Proficiency
1007 Assertions 1008 Criteria
Performance
1201 Engagement Planning 1202 Risk Assessment in Planning
1203 Performance and Supervision 1204 Materiality
1205 Evidence 1206 Using the Work of Other Experts
1207 Irregularity and Illegal acts
Reporting
1401 Reporting 1402 Follow-up activities

12. 1.3.3 ISACA IS Audit and Assurance Guidelines
• The objective of the ISACA IS Audit and Assurance Guidelines is to provide further
information on how to comply with ISACA IS Audit and Assurance Standards.
• The IS auditor should:
• Consider them in determining how to implement the above standards
• Use professional judgment in applying them to specific audits
• Be able to justify any difference

13. 1.3.4 ISACA IS Audit & Assurance
Tools &Techniques
• Provide information on how to meet the standards when performing IS auditing
work, but DO NOT set requirements

14. 1.3.5 Relationship Among Standards, Guidelines,
&Tools &Techniques
• Standards defined by ISACA are TO BE followed by the IS auditor
• Guidelines provide assistance on how the auditor can implement standards in
various audit assignments
• Tools and techniques provide examples of steps the auditor may follow in specific
audit assignments

15. 1.3.6 InformationTechnology Assurance Framework
(ITAF)
• A comprehensive & good-practice-setting model:
• Provides guidance on the design, conduct and reporting of IS audit and assurance
assignments
• Defines terms and concepts specific to IS assurance
• Establishes standards that address IS audit and assurance professional R&R,
knowledge and skills, and diligence, conduct and reporting requirements
• Includes three categories of standards – General, Performance and Reporting – as well as
Guidelines, Tools and Techniques

18. 1.4 Risk Analysis
• Part of audit planning, and helps identify risks and vulnerabilities so the IS auditor
can determine the controls needed to mitigate those risks
• IS auditors must be able to identify and differentiate risk types and the controls
used to mitigate risks
• Risk = Combination of probability of an event and its consequence

21. 1.5 Internal Controls
• Composed of policies, procedures, practices and organizational structures which
are implemented to reduce risks
• Provide reasonable assurance to management that business objectives be
achieved and risk events will be prevented, detected and corrected
• Operate at all levels to mitigate its exposures to risks

23. 1.5.1 IS Control Objectives
• Control objectives are statements of the desired result or purpose to be achieved by
implementing control activities
• Provide a complete set of high-level requirements to be considered by management for
effective control of each IT process
• IS control objectives are:
• Statements of the desired result or purpose to be achieved
• Comprised of policies, procedures, practices and organizational structures
• Designed to provide reasonable assurance that business objectives will be achieved

24. 1.5.2 COBIT 5
• A comprehensive framework that assists in achieving the objectives for the
Governance and Management of enterprise IT
• Helps enterprises create optimal value from IT by maintaining a balance between
realizing benefits and optimizing risk levels and resource use

26. • Governance:
• Governance ensures that stakeholder needs, conditions and options are evaluated to
determine balanced, agreed-on-enterprise objectives to be achieved; setting direction
through prioritization and decision making; and monitoring performance and
compliance against agreed-on direction and objectives
• Management:
• Management plans, builds, runs and monitors activities in alignment with the
direction set by the governance body to achieve the enterprise objectives

27. 1.5.3 General Controls
• Controls include policies, procedures, and practices established by management to
provide reasonable assurance that specific objectives will be achieved
• Internal accounting controls
• Operational controls
• Administrative controls
• Physical and logical security controls

28. 1.5.4 IS Controls
• General controls to be translated into IS-specific controls
• Access to IT resources, including data and programs
• Operations procedures
• Systems programming and technical support functions
• QA procedures
• Physical access controls
• BCP/DRP
• Database Administration
• Networks and communications

29. 1.6 Performing and IS Audit
• Plan the audit engagement
• Build the audit plan
• Execute the plan
• Monitor project activity

30. 1.6.1 Classification of Audits
Compliance Audits Financial Audits
Operational Audits Integrated Audits
Administrative Audits IS Audits
Specialized Audits Forensic Audits

31. 1.6.2 Audit Programs
• A step-by-step set of audit procedures and instructions that should be performed
to complete an audit
• It is the audit strategy and plan of audit
• Based on scope and objective of each assignment
• IS auditors evaluate based on Security (C,I,A), Quality (E,E), Fiduciary (C,R), service
and capacity

32. 1.6.3 Audit Methodology
• A set of documented audit procedures designed to achieve planned audit
objectives
• Components include:
• Statement of Scope
• Statement of audit objectives
• Statement of audit programs
• Set up and approved by audit management

34. 1.6.4 Fraud Detection
• IS auditors should be aware of the possibility and means of perpetrating fraud
• Should have knowledge and experience of fraud and fraud indicators
• Evaluate and communicate to appropriate authorities
• In case of major fraud or major high risk, audit management MUST communicate
to audit committee

35. 1.6.5 Risk-Based Auditing
• Effective risk-based auditing is driven by two processes:
• The risk assessment that drives the audit schedule
• The risk assessment that minimizes the audit risk during the execution of an
audit
• This approach is adapted to develop and improve the continuous audit process
• Assist IS auditor in deciding to perform compliance testing or substantive testing

37. 1.6.6 Audit Risk and Materiality
Audit Risk:
• The risk that information may contain a material error that may go undetected
during the course of the audit
• IS auditor to have sound understanding of these audit risks when planning an audit

39. 1.6.7 Risk Assessment andTreatment
• Risk Assessment identify, quantify, and prioritize risks against criteria for risk
acceptance and objectives relevant to the organization

40. 1.6.8 Risk AssessmentTechniques
• One technique is scoring system based on priority
• Other is simple classification. i.e. High, Medium, Low
• Another technique is judgmental based on business knowledge, executive
management directives, historical perspectives, business goals etc.
• A combination of all these is usually used

41. 1.6.9 Audit Objectives
• It refers to specific goals that must be accomplished by the audit
• Focus on substantiating that internal controls exist to minimize risks and they function as
expected
• A key element in planning an IS audit is to translate basic audit objective into specific IS
audit objectives
• Basic purpose of any IS audit is to identify “control objectives” and the related controls
that address that objective
• “Control objective” refers to how an internal control should function

43. 1.6.10 Compliance vs. SubstantiveTesting
• Direct correlation between levels of internal controls and the amount of substantive testing
required
• If compliance tests reveal the presence of adequate internal controls, minimize the substantive
procedures
Compliance Testing Substantive Testing
Testing an organization’s compliance with control
procedures
Evaluate the integrity of individual transactions, data
or other information
Determines if controls are being applied that complies
with management policies and procedures
Substantiates the integrity of actual processing
Provide IS auditors with reasonable assurance that
particular control is operating as expected
Normally used to test for monetary errors directly
affecting financial statement balances
Used to test the existence and effectiveness of a
defined process

45. 1.6.11 Evidence
• Any information used by the IS auditor to determine whether the entity or data
being audited follows the established criteria or objectives
• May include auditor’s observations, notes taken from the interviews, results of
independent confirmations, documentation, results of audit test procedures etc.
• The “quality” and “quantity” of evidence must be accessed by the IS auditor
• Referred to as “competent (quality)” and “sufficient (quantity)”

46. • Evidence is “competent” when it is both valid and relevant
• Techniques for gathering evidence:
• Reviewing IS organizational structures
• Reviewing IS policies and procedures
• Reviewing IS standards
• Reviewing IS documentation
• Interviewing appropriate personnel
• Observing processes and employee performance
• Walkthroughs

47. 1.6.12 Interviewing & Observing personnel in
performance of their duties
• Assists IS auditors in identifying:
• Actual functions
• Actual processes/procedures
• Security awareness
• Reporting relationships
• Observation drawbacks

48. 1.6.13 Sampling
• Used when time and cost preclude a total verification of all transactions or events
in a pre-defined population
• Two general approaches:
• Statistical Sampling
• Objective method of determining the sample size and selection criteria
• Uses the mathematical laws of probability to:
• Calculate the sampling size
• Select the sample items
• Evaluate the sample results and make the inference
• Quantitatively decides how closely the sample should represent the
population
• Represented as a percentage

49. • Non-statistical Sampling
• Uses auditor judgment to determine the method of sampling, the number of
items that will be examined from a population and which items to select
• Based on subjective judgment
• Two primary methods of sampling:
• Attribute sampling
• Generally applied in compliance tests
• Variable sampling
• Generally applied in substantive tests

51. 1.6.14 Using the services of other auditors & experts
• The following should be considered with regards to using the services of other
auditors and experts:
• Restrictions on outsourcing of audit/security services provided by laws and
regulations
• Audit charter
• Impact on overall and specific IS audit objectives
• Impact on IS audit risk and professional liability
• Independence and objectivity of other auditors and experts
• Professional competence
• Scope of work
• Supervisory and audit management controls
• Compliance with applicable laws, regulations and standards

52. 1.6.15 Computer-Assisted AuditTechniques (CAAT)
• An important tool in gathering evidence from different auditing environments
• Enable IS auditors to gather information independently
• Include many types of tool and techniques such as:
• GAS (Generalized audit software)
• Utility software
• Debugging and scanning software
• Test data
• Application software tracing and mapping

53. 1.6.16 Evaluation of Strengths &Weaknesses
• IS auditors should access the strengths and weaknesses of the controls evaluated
• A control matrix is utilized in accessing the level of controls
• One strong control may compensate for a weak control in another area
• A control objective is achieved NORMALLY by multiple controls

54. 1.6.17 Communicating Audit Results
• Exit Interviews
• Executive Summary
• Audit Report
• Visual Presentation
• Before communicating the results to the senior management, the IS auditor should
discuss the findings with the management/staff of the audited entity
• IS auditor should make final decision about what to include/exclude from the audit report
• Usually a balanced report BUT must exercise independence

55. 1.6.18 Management Implementation of
Recommendations
• A follow-up program to determine if findings and corrective actions implemented
• Management to develop firm program for corrective actions

56. 1.6.19 Audit Documentation

57. 1.7 Control Self-Assessment (CSA)
• An assessment of controls made by the staff and management of the unit/units
involved
• A methodology used to review key business objectives, risks involved in achieving
the business objectives and internal controls designed to manage these business
risks
• Ranging from questionnaires to workshops

58. 1.7.1 Objectives of CSA
• Primary objective is to leverage the internal audit function by shifting some of the
control monitoring responsibilities to the functional areas
• NOT intended to replace audit activities BUT to enhance them

59. 1.7.1 Objectives of CSA

60. 1.7.2 Benefits of CSA

61. 1.7.3 Disadvantages of CSA

62. 1.7.4 Auditor role in CSA
• Auditors become internal control professionals and facilitators
• Lead and guide the auditees in assessing their environment by providing insight
about the objectives of controls based on risk assessment

63. 1.7.5Technology Drivers for CSA
• Combination of Hardware and Software to support CSA selection

64. 1.7.6Traditional vs. CSA Approach

65. 1.8The Evolving IS Audit Process
• This includes:
• Integrated auditing
• Continuous auditing

66. 1.8.1 Integrated Auditing
• A process whereby appropriate audit disciplines are combined to
assess key internal controls over an operation, process, or entity
• Focuses on risk
• Aims to understand and identify risks arising from the entity & its
environment, including relevant internal controls

68. 1.8.2 Continuous Auditing
• Continuous Auditing:
• A methodology that enables independent auditors to provide written assurance on a
subject matter using a series of auditors’ reports issued simultaneously with, or a
short period of time after, the occurrence of events underlying the subject matter
• Continuous Monitoring:
• Based on automated procedures to meet fiduciary responsibilities. E.g. real-time AV
or IDS

71. Self-Assessment Questions
1. Which of the following outlines the overall authority to perform an
IS audit?
a) The audit scope, with goals and objectives
b) A request from management to perform the audit
c) The approved audit charter
d) The approved audit schedule

72. Self-Assessment Questions
2. While developing a risk-based audit program, on which of the
following would the IS auditor MOST likely focus?
a) Business processes
b) Critical IT applications
c) Operational controls
d) Business strategies

73. Self-Assessment Questions
3. Which of the following is the MOST important reason why an audit
planning process should be reviewed at periodic intervals?
a) To plan for deployment of available audit resources
b) To consider changes to the risk environment
c) To provide inputs for documentation of the audit charter
d) To identify the applicable IS audit standards

74. Self-Assessment Questions
4. The FIRST step in planning an audit is to:
a) Define audit deliverables
b) Finalize the audit scope and audit objectives
c) Gain an understanding of the business’ objectives
d) Develop the audit approach or audit strategy

75. Answers
1. (c) The approved audit charter
2. (a) Business Processes
3. (b) To consider changes to the risk environment
4. (c) Gain an understanding of the business’ objectives