CISA - Summary and Exam Essentials

Summary
This concludes our review of the IS audit process. A CISA is expected to have a thorough
understanding of the entire audit process. You will be expected to understand the issues and
motivation behind each step.

A violation of the audit process would be a concern and likely indicate the outcome is
meaningless. As an IS auditor, you should always strive to honor the spirit and intent of the
audit process.

Conduct audits in accordance with recognized audit standards, guidelines, and
best practices. It is your job to plan the audit around the business requirements by using a riskbased approach and to collect meaningful evidence.

You are expected to produce an objective report based on the evidence you obtained during the audit. The final report will be communicated to management with the goal of gaining their commitment to resolve any weaknesses found. Your actions should be well documented and reproducible by another auditor .

Exam Essentials

Know how to develop and implement a risk-based audit strategy. The auditor should focus
on areas of high value. The risk assessment will help to determine if the audit will yield meaningful
information. Certain types of conditions may be very difficult to audit. It is important
the audit is based upon meaningful evidence that is materially relevant.
Understand how to conduct IS audits in accordance with published standards, guidelines, and
best practices.

The auditor is expected to follow published audit standards to ensure thoroughness
and consistency. Deviations from the standards and guidelines is very rare. Any deviation
must be well documented, but results may not be accepted by the audit community. The
purpose of best practices is to aid the auditor by identifying useful procedures and techniques.
Every audit should be designed to adhere to standards.

Be familiar with how to plan for specific audits. The CISA needs to understand the constraints
and requirements of individual audits. It is the auditor’s job to identify the resource
requirements, sampling requirements, test methods, and procedures to be used. The auditor
will be to identify appropriate personnel to be interviewed. The interview process must be
scheduled and implement predefined questions for the purpose of gathering data. An audit
involving third-party personnel will present its own unique challenges.

Know the auditing practices and techniques. Well established IS auditing procedures ensure
thoroughness and consistency necessary for a successful audit. Good audits will implement a
well thought out sequence of procedures to evaluate materially relevant samples. ISACA provides the auditor with foundation knowledge that should be implemented during your audit.

Effective sample selection of meaningful tests should yield materially relevant results.
Be familiar with IS control objectives and performing control assessment. The basic types
of internal controls are preventative, detective, and corrective. Each control may be implemented
using administrative methods, physical methods, and technical methods. The purpose of the controls are to prevent harm and protect an asset. The IS auditors responsible for evaluating
the effectiveness of controls.

Know the techniques to gather information and manage the evidence life cycle. The auditor
can collect information through traditional sources of business records, computer data
files, and CAAT tools. Meaningful information can be obtained through personal interviews,
workshops, and surveys. All information and evidence should be recorded and tracked. The
evidence life cycle starts with identification, collection, preservation, analysis, safe storage,
and finally return to the owner. Evidence used for criminal prosecution must be handled with
the highest degree of care. Evidence that is mishandled will void legal claims and may result
in punitive legal action.

Know the types of evidence and evidence grading. The best evidence will tell its own story.
The best evidence will prove or disprove a point. Best evidence is both objective and independent. The timing of evidence must be considered when calculating its useful value. Evidence that is late and subjective will be of low value. Material evidence will have a bearing on the final outcome. Irrelevant evidence will not affect the final decision.

Familiarize yourself with the types of audit tests and sample selection. Audit tests can be
substantive or compliance based. It is important to select an appropriate sample in order to
generate data to reflect the actual situation. Audit test procedures and sample selection methods
must be well documented to ensure verifiable and reproducible tests. The sample may be
selected upon physical characteristics, value, and size of population.

Know some of the various types of computer assisted audit tools (CAAT). Computer assisted
audit techniques are software tools that can provide detailed analysis of computer systems configuration, vulnerability, logs, and other information. The CAAT output should be kept confidential due to the potentially sensitive nature of its contents.

Understand the continuous auditing methods. Continuous audit methods such as audit
hooks or SCARF with embedded audit modules (SCARF/EAM) are used in environments
where it is not possible to interrupt production.

Know how to deal with irregular and illegal acts. It is possible that you could encounter evidence
of irregular or illegal acts. The discoveries should be communicated to the next level of
management higher than where the act occurred. Such a discovery involving persons responsible
for internal controls must be reported to the absolute highest level of management. The auditor
should consult their attorney for legal advice.

Know how to advise clients on implementing risk management and control practices while
maintaining independence. The auditor is encouraged to educate their client and help increase
awareness of control issues. It is important that the auditor does not participate in specific discussions of design or architecture. The auditor must not work on fixing problems if the auditor
is expected to be independent. A client may hire an auditor for remediation and use a separate,
unrelated auditor for the audit. The auditor cannot be independent if they participated in the
audit subject.

Be able to communicate issues, potential risks, and audit results. The auditor is expected to
communicate materially relevant issues to management through the audit reporting process.
Issues of high significance should be communicated directly to the audit committee. The final
results of each audit should be verifiable and reproducible. All communication must convey
the facts without placing blame upon individuals.

Understand the role of traditional audits compared to control self-assessment (CSA). Control
self-assessments are designed to empower the customer’s staff. The intention is to generate
awareness and ownership of problems. A control self-assessment is an excellent way to improve
the performance of an organization between traditional audits. The traditional audit is still necessary to the independence requirement.

Popularity: 17% [?]