The CISA® Review Manual 27th Edition is designed to help candidates prepare for the CISA exam. CISA Review Courses (offered by local ISACA chapters and accredited training organizations) ABOUT THE CISA REVIEW QUESTIONS, ANSWERS AND.
Exam Content Outline
Reporting and Communication Techniques
Quality Assurance and Improvement of the Audit Process Case Study
EXAM CONTENT OUTLINE Part A: Planning
IS AUDIT STANDARDS, GUIDELINES AND CODES OF ETHICS
- ISACA IS AUDIT AND ASSURANCE STANDARDS
- ISACA IS AUDIT AND ASSURANCE GUIDELINES
- ISACA CODE OF PROFESSIONAL ETHICS
- ITAF™
The fundamental elements of an IS audit are defined and provided in the ISACA IS Audit and Assurance Standards and Guidelines. The ISACA IS Auditing and Assurance Guidelines provide guidance and additional information on how to meet ISACA's auditing and assurance standards.
BUSINESS PROCESSES
- IS INTERNAL AUDIT FUNCTION
- MANAGEMENT OF THE IS AUDIT FUNCTION
- AUDIT PLANNING
- EFFECT OF LAWS AND REGULATIONS ON IS AUDIT PLANNING
- BUSINESS PROCESS APPLICATIONS AND CONTROLS
- USING THE SERVICES OF OTHER AUDITORS AND EXPERTS
All relevant processes that represent the blueprint of the company's operations should be included in the audit universe. Understand the organization's governance structure and practices related to audit objectives. Application system: the programs that process the data sent to or received from the trading partner.
An IS auditor should review the contract with the switch and the third-party audit of the switch operations. Review physical security measures to ensure the safety of the ATM and the money contained in the ATM.
TYPES OF CONTROLS
- CONTROL OBJECTIVES AND CONTROL MEASURES
- EVALUATION OF THE CONTROL ENVIRONMENT
- GENERAL CONTROLS
- IS-SPECIFIC CONTROLS
A control objective is defined as an objective of one or more operational area(s) or role(s) that must be achieved in order to contribute to the fulfillment of strategic objective(s) of the company. That is, the control objective is such an objective that is expressly related to the strategy of the company. Control objectives are statements of the desired result or goal to be achieved by implementing control activities (procedures).
Statements about the desired result or purpose to be achieved by implementing controls around information systems processes. An IS auditor also assesses the strengths and weaknesses of the controls evaluated and determines whether they are effective in meeting the control objectives established as part of the audit planning process.
RISK-BASED AUDIT PLANNING
- AUDIT RISK AND MATERIALITY
- RISK ASSESSMENT
- RISK ANALYSIS
By understanding the nature of the business, an IS auditor can identify and categorize the types of risk that will better inform the risk model or approach in conducting the audit. Audit risk can be defined as the risk that information collected may contain a material error that may go undetected during the course of the audit. Detection risk—The risk that material errors or misstatements that have occurred will not be detected by an IS auditor.
The IS auditor should engage in evaluating the materiality of the items in question using a risk-based audit approach to evaluating internal controls. When reviewing these types of IT-related business risks, an IS auditor will often assess the effectiveness of the risk management process used by the organization.
TYPES OF AUDITS AND ASSESSMENTS
Operational audit—An operational audit is designed to evaluate the internal control structure in a particular process or area. Administrative audit—An administrative audit is designed to assess issues related to the efficiency of operational productivity within an organization. Third-party service audit—A third-party service audit addresses the auditing of financial and business processes outsourced to third-party service providers who may operate in different jurisdictions.
Forensic audit – A forensic audit is a specialized audit to detect, uncover and follow up on fraud and crime. Computer forensic audit - A computer forensic audit is an investigation that includes the analysis of electronic devices such as computers, smartphones, disks, switches, routers and hubs.
AUDIT PROJECT MANAGEMENT
- AUDIT OBJECTIVES
- AUDIT PHASES
- AUDIT PROGRAMS
- AUDIT WORK PAPERS
- FRAUD, IRREGULARITIES AND ILLEGAL ACTS
One of the primary objectives of an IS audit is to identify control objectives and the related controls that address the objective. Identify the specific systems, function, or unit of the organization that should be included in the review. Roles and responsibilities among the audit team – Time frame for the different stages of the audit.
At this stage of the audit process, the audit team should also have data collection steps in place. In the event that the IS auditor discovers major fraud, or if the risk associated with the detection is high, audit management should also consider notifying the audit in a timely manner.
SAMPLING METHODOLOGY
- COMPLIANCE VERSUS SUBSTANTIVE TESTING
- SAMPLING
It is important that an IS auditor understands the specific objective of a compliance test and the control being tested. An IS auditor may use substantive tests to test for monetary errors that directly affect the financial statement balances or other significant data of the organization. An IS auditor may also decide during the preliminary evaluation of controls to include some substantive testing if the results of this preliminary evaluation indicate that the controls implemented are unreliable or do not exist.
Sample mean – the sum of all sample values divided by the sample size. Sample Standard Deviation – Calculates the variance of the sample values from the sample mean.
AUDIT EVIDENCE COLLECTION TECHNIQUES
- INTERVIEWING AND OBSERVING PERSONNEL IN PERFORMANCE OF THEIR DUTIES
The IS auditor should focus on the overall objectives of the review rather than the nature of the evidence collected. An IS auditor must understand general organizational controls and be able to evaluate those controls in the audited organization. Review of IS Standards – The IS auditor should first understand the existing standards in place in the organization.
However, an IS auditor should look for documentation standards and practices within the IS organization. An IS auditor must be able to review documentation for a given system and determine whether it follows the organization's documentation standards.
DATA ANALYTICS
- CONTINUOUS AUDITING AND MONITORING
- CONTINUOUS AUDITING TECHNIQUES
Data analysis can be effective for an IS auditor in both the planning and fieldwork phases of the audit. An IS auditor must have a thorough understanding of RGOTs and know where and when to apply them. When requesting access to production data for use with RGOTs, an IS auditor must request read-only access.
To this end, an IS auditor must develop auditing techniques that are suitable for use with advanced information systems. Continuous auditing—Enables an IS auditor to perform tests and assessments in a real-time or real-time environment.
REPORTING AND COMMUNICATION TECHNIQUES
- COMMUNICATING AUDIT RESULTS
- AUDIT REPORT OBJECTIVES The six objectives of audit reporting are
- AUDIT REPORT STRUCTURE AND CONTENTS
- AUDIT DOCUMENTATION
- FOLLOW-UP ACTIVITIES
- TYPES OF IS AUDIT REPORTS
An IS auditor should make the final decision on what to include or exclude from the audit report. An IS auditor should discuss the recommendations and any planned implementation dates while issuing the audit report. When applicable, an IS auditor should provide the explanation in a separate document and refer to it in the report.
When appropriate, an IS auditor should promptly communicate significant findings to the appropriate individuals before issuing the report. The timing of follow-up will depend on the criticality of the findings and is subject to the judgment of an IS auditor.
QUALITY ASSURANCE AND IMPROVEMENT OF THE AUDIT PROCESS
- CONTROL SELF-ASSESSMENT
- INTEGRATED AUDITING
A CSA is an assessment of controls performed by the staff and management of the unit or units involved. It is a management technique that assures stakeholders, customers, and other parties that an organization's internal control system is reliable. One critical success factor (CSF) is to conduct a meeting with representatives of the business unit (including appropriate and relevant personnel and management) to determine the main objective of the business unit - to determine the reliability of the internal control system.
The entity has an audit charter that describes the scope and responsibilities of the IS audit function and specifies the audit committee as the oversight body for audit activities. Material risk is any risk that is significant enough to materially threaten the overall success of the business.
Exam Content Outline
IT Service Provider Acquisition and Management
IT Performance Monitoring and Reporting 2.12 Quality Assurance and Quality Management of IT
Effective governance and management of IT consists of the leadership and organizational structures and processes that ensure that the enterprise's IT sustains and expands the enterprise's strategy and goals. Knowledge of IT management is fundamental to the work of the IS auditor, and it forms the basis for the development of sound control practices and mechanisms for management supervision and.
EXAM CONTENT OUTLINE Part A: IT Governance
IT GOVERNANCE AND IT STRATEGY
- ENTERPRISE GOVERNANCE OF INFORMATION AND TECHNOLOGY
- GOOD PRACTICES FOR EGIT
- INFORMATION SECURITY GOVERNANCE
- INFORMATION SYSTEMS STRATEGY
- STRATEGIC PLANNING
- BUSINESS INTELLIGENCE
Reporting line to be used, where EGIT issues are identified up to the highest level of the organization. IT department management, together with the IT Steering Committee and the Strategy Committee (which provides valuable strategic input regarding stakeholder value), plays a key role in the development and implementation of the plans. Effective strategic IS planning involves considering the enterprise's requirements for new and revised information systems and IT.
Warehouse management layer – The function of this layer is the planning of the tasks necessary to build and maintain the DW and populate the data mart. Ultimately, the data architecture must be structured to meet the organization's needs in the most efficient way.
IT-RELATED FRAMEWORKS
Final funding decisions should rest with a technology steering committee composed of senior management. Aspects to consider here include establishing standard definitions for data, business rules and metrics; identifying approved data sources; and establishing standards for data reconciliation and balancing. ISO/IEC 20000 is a service management specification that is aligned with ITIL's service management framework.
ISO Risk Management—Guidelines provide guidelines on and a general approach to risk management for organizations.
IT STANDARDS, POLICIES AND PROCEDURES
- STANDARDS
- POLICIES
- GUIDELINES
The information security policy must be approved by senior management and must be documented and communicated, as The information security policy should state management's commitment and define the organization's approach to information security management. The information security policy should be reviewed at scheduled intervals (at least annually) or when significant changes occur in the enterprise, its business operations or internal security-related risk to ensure its adequacy, appropriateness and effectiveness continuous.
The information security policy should have an owner who has approved management responsibility for the development, review and evaluation of the policy. The review should include assessing opportunities to improve the organization's information security policy and approach to managing information security in response to changes in the organizational environment, business conditions, legal conditions or technical environment.
ORGANIZATIONAL STRUCTURE
- IT GOVERNING COMMITTEES
- ROLES AND RESPONSIBILITIES OF SENIOR MANAGEMENT AND BOARDS OF DIRECTORS
Effective information security governance can only be achieved by involving the board and/or senior management in policy approval; ensuring adequate monitoring; and review metrics, reports and trend analysis. Board members must be aware of the organization's information assets and their importance to ongoing business operations. This can be achieved by regularly communicating the results of a high-level comprehensive risk assessment and business impact analysis (BIA) to the board.
Approves project plans and budgets, – Achieving strategic IT priorities and milestones. It also serves as an effective communication channel and provides an ongoing foundation to ensure the security program is aligned with business objectives.
