CISA EXAM

DOMAIN 1
1
DOMAIN 1
THE PROCESS OF AUDITING INFORMATION SYSTEMS

2
DOMAIN 1 OVERVIEW

The information systems (IS) auditing process

encompasses the standards, principles, methods, An IS auditor must
have a thorough
guidelines, practices and techniques that an IS auditor understanding of this
uses to plan, execute, assess and review business or auditing process as
information systems and related processes. well as IS processes,
business processes
and controls designed
to achieve
organizational
objectives and protect
organizational
assets.

3
DOMAIN 1 OBJECTIVES

Upon completion of this domain an IS auditor should be able to:

• Plan an audit to determine whether information systems are protected, controlled,
and provide value to the organization.
• Conduct an audit in accordance with IS audit standards and a risk-based IS audit
strategy.
• Communicate audit progress, findings, results, and recommendations to
stakeholders.
• Conduct audit follow-up to evaluate whether risks have been sufficiently addressed.
• Evaluate IT management and monitoring of controls.
• Utilize data analytics tools to streamline audit processes.
• Provide consulting services and guidance to the organization in order to improve the
quality and control of information systems.
• Identify opportunities for process improvement in the organization's IT policies and
practices.

4
DOMAIN 1 TOPICS

Planning Execution
• IS Audit Standards, Guidelines and • Audit Project Management
Codes of Ethics • Sampling Methodology
• Business Processes • Audit Evidence Collection Techniques
• Types of Controls • Data Analytics
• Risk-Based Audit Planning • Reporting and Communication Techniques
• Types of Audits and Assessments • Quality Assurance and Improvement of
the Audit Process

5
PLANNING
SECTION 1

24
TOPICS

Introduction
IS Audit Standards, Guidelines and Codes
of Ethics
Business Processes
Types of Controls

Risk Based Audit Planning

25
WHAT IS AUDIT?

IS audit is the formal examination and/or testing of information systems to

determine whether:
• Information systems (IS) are in compliance with applicable laws, regulations, contracts
and/or
industry guidelines.
• Information systems and related processes comply with governance criteria and related
and relevant policies and procedures.
• IS data and information have appropriate levels of confidentiality, integrity and availability.
• IS operations are accomplished efficiently and effectiveness targets are met.

8
AUDIT PROCESS

Planning Fieldwork/ Reporting/

Documentation Follow-up

9
IS AUDIT STANDARDS, GUIDELINES, AND CODES
OF ETHICS
SECTION 1

10
ISACA IS AUDIT AND ASSURANCE STANDARDS

ISACA IS audit and assurance standards define mandatory requirements for IS

auditing and reporting and inform:
• IS auditors of the minimum level of acceptable performance required to meet the professional
responsibilities set out in the ISACA Code of Professional Ethics
• Management and other interested parties of the profession’s expectations concerning the work
of practitioners
• Holders of the CISA designation of their professional performance requirements

11
ISACA IS AUDIT AND ASSURANCE STANDARDS FRAMEWORK

The framework for the ISACA IS Audit and Assurance Standards provides for
multiple levels of documents:
• Standards define mandatory requirements for IS audit and assurance and reporting.
• Guidelines provide guidance in applying IS audit and assurance standards. The IS auditor
should consider them in determining how to achieve implementation of the above standards,
use professional judgment in their application and be prepared to justify any departure from the
standards.
• Tools and techniques provide examples of processes an IS auditor might follow in an audit
engagement. The tools and techniques documents provide information on how to meet
the standards when completing IS auditing work, but do not set requirements.

12
STANDARDS AND GUIDELINES

There are three categories of standards and

guidelines:
Category Description

General Apply to the conduct of all assignments, and deal with ethics,
(Guiding principles)
independence, objectivity and due care as well as
knowledge, competency and skill
Performance Deal with the conduct of the assignment, such as planning
and supervision, scoping, risk and materiality, resource
mobilization, supervision and assignment management, audit
and assurance evidence
Reporting Address the types of reports, means of communication and
the information communicated

13
ISACA IS AUDIT AND ASSURANCE GUIDELINES

Consider them in
Use professional
determining how to
judgment in
implement ISACA
applying them to
audit and assurance
specific audits.
standards.

Be able to justify
any departure from
the ISACA audit and
assurance
standards.
14
CODE OF PROFESSIONAL ETHICS

Support the implementation of, and encourage

compliance with, appropriate standards,
procedures for the effective governance and
management of enterprise information systems
and technology, including audit, control, security
and risk management.
Perform their duties with objectivity, due
diligence and professional care, in accordance
with professional standards.

Serve in the interest of stakeholders in a lawful

manner, while maintaining high standards of
conduct and character, and not discrediting
their profession or the association.
15
CODE OF PROFESSIONAL ETHICS
(CONT’D)
Maintain the privacy and confidentiality of
information obtained in the course of their activities
unless disclosure is required by legal authority.
Such information shall not be used for personal
benefit or released to inappropriate parties.
Maintain competency in their respective fields,
and agree to undertake only those activities they
can reasonably expect to complete with the
necessary skills, knowledge and competence.

16
CODE OF PROFESSIONAL ETHICS
(CONT’D)
Inform appropriate parties of the results of work
performed, including the disclosure of all
significant facts known to them that, if not
disclosed, may distort the reporting of the results.
Support the professional education of stakeholders
in enhancing their understanding of the governance
and management of enterprise information
systems and technology, including audit, control,
security and risk management.

17
ITAF

ITAF is a comprehensive and good practice-setting reference model

that:

Establishes standards that

Provides guidance and tools
address IS auditor roles
and techniques on the
and responsibilities; Defines terms and concepts planning, design, conduct
knowledge and skills; and specific to IS assurance. and reporting of IS audit and
diligence, conduct and
assurance assignments.
reporting requirements.

18
BUSINESS PROCESSES

19
OVERVIEW

IS auditor’s key actions

• Understand and evaluate business process

• Test and evaluate operational

controls
• Identify the controls:
• Policies
• Procedures
• Practices
• Organizational structures

20
TOPICS

IS Internal Audit Function

Management of the IS Audit Function
Audit Planning
Effect of Laws and Regulations on IS Audit
Planning
Business Process Applications and Controls

39
IS INTERNAL AUDIT FUNCTION

The role of the IS internal audit function should be established by an audit charter
approved by the board of directors and the audit committee (senior management if
these entities do not exist).
An audit charter is an overarching document that covers the entire scope of audit
activities in an entity while an engagement letter is more focused on a particular
audit exercise that is sought to be initiated in an organization with a specific
objective in mind.
The charter should clearly state management’s responsibility and objectives for,
and delegation of authority to, the IS audit function.

22
MANAGEMENT OF THE IS
AUDIT FUNCTION

Managing the IS audit function should

ensure value-added contributions to
senior management in the efficient
management of IT and achievement of
business objectives.

23
AUDIT PLANNING

The first step in performing an IS audit is adequate planning.

To plan an audit, the following tasks must be completed:
• List all the processes that may be considered for the audit.
• Evaluate each process by performing a qualitative or quantitative risk assessment.
• These evaluations should be based on objective criteria.
• Define the overall risk of each process.
• Construct an audit plan to include all of the processes that are rated “high” which would
represent
the ideal annual audit plan.

24
WHEN TO AUDIT

Long-term planning takes into account all

Short-term planning involves all audit risk- related issues that might be affected by
issues that will be covered during the the organization’s IT strategic direction.
year.

Audit planning includes

short-term and long-term
planning.

New control issues Changes in risk environment, technologies

and business processes

25
AUDIT PLANNING STEPS

Gain an understanding of the business’s mission, objectives, purpose and processes.

Understand changes in business environment of the auditee.

Review prior work papers.

Identify stated contents, such as policies, standards and required guidelines, procedures and organization structure.

Perform a risk analysis to help in designing the audit plan.

Set the audit scope and audit objectives.

Develop the audit approach or audit strategy.

Assign personnel resources to the audit.

Address engagement logistics.

26
ADDITIONAL CONSIDERATIONS

The audit plan should take into consideration the objectives of the IS audit relevant to
the audit area and its technology infrastructure and business strategic direction. The IS
auditor can gain this information by:
• Reading background material, including industry publications, annual reports and independent
financial analysis reports
• Reviewing prior audit reports or IT-related reports (from external or internal audits, or
specific reviews such as regulatory reviews)
• Reviewing business and IT long-term strategic plans

27
ADDITIONAL CONSIDERATIONS (CONT’D)

Other ways the IS auditor can gain this information include:

• Interviewing key managers to understand business issues
• Identifying specific regulations applicable to IT
• Identifying IT functions or related activities that have been outsourced
• Touring key organization facilities

The IS auditor must also match available audit resources, such as staff, with the
tasks
defined in the audit plan.

28
LAWS AND REGULATIONS

Certain industries, such as banks and internet

service providers (ISPs), are closely regulated.
These legal regulations may pertain to
financial, operational and IS audit functions.
There are two areas of concern that impact the
audit scope and objectives:
• Legal requirements placed on the audit
• Legal requirements placed on the auditee and
its systems, data management, reporting, etc.

29
IS AUDIT ROLE AND COMPLIANCE

To determine an organization’s level of compliance, an IS auditor must:

• Identify those government or other relevant external requirements dealing
with:
• Electronic data, personal data, copyrights, e-commerce, e-signatures, etc.
• Computer system practices and controls
• The manner in which computers, programs and data are stored
• The organization or the activities of information technology services
• IS audits

30
IS AUDIT STEPS AND DETERMINING ORGANIZATIONAL
COMPLIANCE

Document applicable laws and regulations.

Assess whether management and the IT function have considered the relevant external requirements
in their plans, policies, standards and procedures, as well as business application features.

Review internal IT department/function/activity documents that address adherence to laws

applicable to the industry.

Determine adherence to procedures that address these requirements.

Determine if there are procedures in place to ensure contracts or agreements with external IT services
providers reflect any legal requirements related to responsibilities.
31
BUSINESS PROCESS APPLICATIONS AND
CONTROLS
In an integrated application environment, controls are
embedded and designed into the business application
To effectively audit
that supports the processes. Business process control business application
assurance involves evaluating controls at the process and systems, an IS auditor
activity level. must obtain a clear
understanding of the
These controls may be a combination of: application system
under review.
• Management
• Programmed
• Manual controls

32
BUSINESS APPLICATION SYSTEMS

E-commerce Purchase accounting systems

Electronic data interchange Integrated manufacturing
Email systems Industrial control
Point-of-sale (POS) systems systems (ICS) Interactive voice
Electronic banking and response (IVR) Image
electronic finance
processing
Payment systems and electronic
funds transfer (EFT) Artificial intelligence (AI) and
business
Automated teller machines (ATM) intelligence systems
Supply chain management Decision support system (DSS)
33

(SCM) Customer relationship

USING THE SERVICES OF OTHER AUDITORS AND EXPERTS

When using external or outside experts consider the following:

• Restrictions on outsourcing of audit/security services provided by laws and
regulations
• Audit charter or contractual stipulations
• Impact on overall and specific IS audit objectives
• Impact on IS audit risk and professional liability

• Independence and objectivity of other auditors and experts

• Professional competence, qualifications and experience
• Scope of work proposed to be outsourced and approach
• Supervisory and audit management controls
34
TYPES OF CONTROLS

56
INTERNAL CONTROLS

Internal controls are normally composed of policies, procedures, practices and

organizational structures that are implemented to reduce risk to the
organization.
Internal controls should address:
• What should be achieved?
• What should be avoided?

57
CONTROL CLASSIFICATION

Class Function

Preventive • Detect problems before they arise.

• Monitor both operation and inputs.
• Attempt to predict potential problems before they occur and make adjustments.
• Prevent an error, omission or malicious act from occurring.
• Segregate duties (deterrent factor).
• Control access to physical facilities.
• Use well-designed documents (prevent errors).

Detective • Use controls that detect and report the occurrence of an error, omission or malicious act.
Corrective • Minimize the impact of a threat.
• Remedy problems discovered by detective controls.
• Identify the cause of a problem.
• Correct errors arising from a problem.
• Modify the processing system(s) to minimize future occurrences of the problem.

37
CONTROL OBJECTIVES AND CONTROL MEASURES

Control objective
• An objective of one or more operational area(s) or role(s) to be
achieved, in order to contribute to the fulfillment of strategic
goal(s) of the company. That is, the control objective is such a
goal, that is explicitly related to the strategy of the company.
Control measure
• An activity contributing to the fulfillment of a control objective. Both
the control objective and control measure serve the decomposition
of the strategic-level goals into such lower-level goals and
activities, that can be assigned as tasks to the staff. This
assignment can take the form of a role description in a job
38
description.
IS CONTROL OBJECTIVES

IS control objectives provide a complete set of high-level requirements to be

considered by management for effective control of each IT process area. IS control
objectives are:
• Statements of the desired result or purpose to be achieved by implementing controls around
information systems processes.
• Comprised of policies, procedures, practices and organizational structures.
• Designed to provide reasonable assurance that business objectives will be achieved,
and undesired events will be prevented or detected and corrected.

39
IS CONTROL OBJECTIVES (CONT’D)

• Safeguarding assets
• System development life cycle (SDLC) processes are established, in place and operating effectively
• Integrity of general operating system (OS) environments
• Integrity of sensitive and critical application system environments
• Appropriate identification and authentication of users
• The efficiency and effectiveness of operations
• Integrity and reliability of systems by implementing effective change management procedures
• Complying with the users’ requirements, organizational policies and procedures, and applicable laws and
regulations (compliance objectives)
• Ensuring availability of IT services by developing efficient business continuity plans (BCPs), disaster
recovery plans (DRPs), that include backup and recovery processes
• Enhancing protection of data and systems by developing an incident response plan
• Ensuring integrity and reliability of systems by implementing effective change management procedures
• Ensuring that outsourced IS processes and services have clearly defined service level agreements (SLAs)
and contract terms and conditions to ensure the organization’s assets are properly protected and meet
61
business goals and objectives
GENERAL CONTROLS

General controls include:

• Internal accounting controls that concern the safeguarding of assets and
reliability of financial information
• Operational controls that concern day-to-day operations, functions and
activities
• Administrative controls that concern operational efficiency in a functional area
and adherence to management policies
• Organizational security policies and procedures to ensure proper usage of
assets
• Overall policies for the design and use of adequate documents and records
• Access and use procedures and practices
41
• Physical and logical security policies for all facilities
IS-SPECIFIC CONTROLS

Each general control can be translated into an IS-specific control. The IS auditor
should understand IS controls and how to apply them in planning an audit.
IS control procedures include:
• Strategy and direction of the IT function
• General organization and management of the IT function
• Access to IT resources, including data and programs
• Systems development methodologies and change control

42
IS-SPECIFIC CONTROLS (CONT’D)

Additional IS control procedures include:

• Operations procedures
• Systems programming and technical support functions
• Quality assurance (QA) procedures
• Physical access controls
• Business continuity planning (BCP)/disaster recovery planning (DRP)
• Networks and communications
• Database administration
• Protection and detective mechanisms against internal and external
attacks

43
RISK-BASED AUDIT PLANNING

44
RISK-BASED AUDITING

Gather Information and Plan

• Knowledge of business and industry
• Regulatory statutes
• Prior year’s audit results
• Inherent risk assessments
• Recent financial information

Obtain Understanding of Internal Control

• Control environment
• Control risk assessment
• Control procedures • Equate total risk
• Detection risk assessment

Perform Compliance Tests

• Identify key controls to be tested. • Perform tests on reliability, risk prevention and
adherence to organization policies and procedures.

Perform Substantive Tests

• Analytical procedures
• Other substantive audit procedures
• Detailed tests of account balances

45
Conclude the Audit
• Create recommendations. • Write the audit report.
 AUDIT RISK AND MATERIALITY

Inherent risk Control risk Detection risk Overall audit risk

• As it relates to audit risk, it • The risk that a material • The risk that material • The probability that
is the risk level or error exists that would not errors or misstatements information or financial
exposure of the be prevented or detected that have occurred will reports may contain
process/entity to be on a timely basis by the not be detected by an IS material errors and that
audited without system of internal auditor. the auditor may not detect
considering the controls controls. For example, the an error that has
that management has control risk associated occurred. An objective in
implemented. Inherent with manual reviews of formulating the audit
risk exists independent of computer logs can be high approach is to limit the
an audit and can occur because activities audit risk in the area
because of the nature of requiring investigation are under scrutiny so the
the business. often easily missed due to overall audit risk is at a
the volume of logged sufficiently low level at the
information. The control completion of the
risk associated with examination.
computerized data
validation procedures is
ordinarily low if the
processes are
consistently applied.

46
RISK ASSESSMENT

A risk assessment assists the IS auditor in identifying risk and threats to an

IT environment and IS system, and it helps in the evaluation of controls.
Risk assessments should identify, quantify and prioritize risk against criteria for
risk acceptance and objectives relevant to the organization.
It supports risk-based audit decision making by considering variables, such as:
• Technical complexity
• Level of control procedures in place
• Level of financial loss

47
RISK RESPONSE

Risk Response Options

• Risk mitigation – Applying appropriate controls to reduce the risk

• Risk acceptance – Knowingly and objectively not taking action,
providing the risk clearly satisfies the organization’s policy and
criteria for risk acceptance
• Risk avoidance – Avoiding risk by not allowing actions that would
cause the risk to occur
• Risk transfer/sharing – Transferring the associated risk to other
parties

48
RISK ASSESSMENT PROCESS

Using risk assessment to Prepare for Assessment

determine areas to be
•audited:
Enables management to Conduct Assessment

effectively allocate limited audit Identify Threat Sources and Events

resources
• Ensures that relevant Identify Vulnerabilities and Predisposing Conditions

information has been obtained Communicate Results Maintain Assessment

from all levels of Determine Likelihood of Occurrence

management
• Establishes a basis for Determine Magnitude of Impact

effectively managing the audit

department
Determine Risk

• Provides a summary of how

the individual audit subject is Source: National Institute of Standards and Technology (NIST), NIST Special Publication 800-30, Revision 1:
related to the overall Information Security, USA, 2012. Reprinted courtesy of the National Institute of Standards and Technology, U.S.
Department of Commerce. Not copyrightable in the United States.
70 organization as well as to the
business plans
RISK ANALYSIS

During audit planning, the IS auditor must perform or review a risk analysis to identify
risks and vulnerabilities in order to determine the controls needed to mitigate those
risks.
The IS auditor’s role is to:
• Understand the relationship between risk and control.
• Identify and differentiate risk types and the controls used to mitigate the risk.
• Evaluate risk assessment and management techniques used by the organization.
• Understand that risk exists as part of the audit process.

50
RISK MANAGEMENT PROCESS

Identify Business Objectives (BO)

Identify Information Assets

Supporting the BOs

Perform Risk Assessment (RA)

Perform Periodic Risk Reevaluation
[Threat←Vulnerability→
(BO/RA/RM/RT)
Probability←Impact]

Perform Risk Mitigation (RM)

[Map risks with controls in place]

Perform Risk Treatment (RT)

[Treat significant risks not mitigated
by existing controls]

51
TYPES OF AUDITS

Type Description

Compliance audits Compliance audits include specific tests of controls to demonstrate adherence to
specific regulatory or industry standards. Examples include Payment Card Industry
Data Security Standard (PCI DSS) audits for companies that process credit card data
and Health Insurance Portability and Accountability Act (HIPAA) audits for
companies that handle health care data.
Financial audits The purpose of a financial audit is to assess the accuracy of financial reporting. It
often involves detailed, substantive testing, although increasingly, auditors are
placing more emphasis on a risk- and control-based audit approach. This kind of
audit relates to financial information integrity and reliability.

52
TYPES OF AUDITS (CONT’D)

Type Description

Operational audits An operational audit is designed to evaluate the internal control structure in a given
process or area. Examples include
IS audits of application controls or logical security systems.
Administrative audits These are oriented to assess issues related to the efficiency of operational
productivity within an organization.
IS audits This process collects and evaluates evidence to determine whether the information
systems and related resources adequately safeguard assets, maintain data and
system integrity and availability, provide relevant and reliable information, achieve
organizational goals effectively, and consume resources efficiently. Also, do they
have, in effect, internal controls that provide reasonable assurance that business,
operational and control objectives will be met and that undesired events will be
prevented, or detected and corrected, in a timely manner.

53
TYPES OF AUDITS (CONT’D)

Type Description

Forensic audits Forensic auditing has been defined as auditing specialized in discovering, disclosing
and following up on fraud and crimes. The primary purpose of such a review is the
development of evidence for review by law enforcement and judicial authorities.
Integrated audits An integrated audit combines financial and operational audit steps. It is performed to
assess the overall objectives within an organization, related to financial information
and assets’ safeguarding, efficiency and compliance.

54
AUDIT METHODOLOGY

An audit methodology is a set of documented audit procedures

designed to achieve planned audit objectives. Its components are
a statement of scope, audit objectives and audit programs.
Each audit department should design and approve an audit
methodology that is formalized and communicated to all audit
staff.
An audit program should be developed to serve as a guide for
performing and documenting all of the audit steps, and the extent
and types of evidential matter reviewed.

55
AUDIT PHASES

Audit Phase Description

Audit subject • Identify the area to be audited.

Audit objective • Identify the purpose of the audit.
Audit scope • Identify the specific systems, function or unit of the
organization to be included in the review.
Preaudit • Identify technical skills and resources needed.
planning • Identify the sources of information for test or review, such
as functional flow charts, policies, standards, procedures
and prior audit work papers.
• Identify locations or facilities to be audited.
• Develop a communication plan at the beginning of each
engagement that describes who to communicate to, when,
how often and for what purpose(s).

56
AUDIT PHASES (CONT’D)

Audit Phase Description

Audit • Identify and select the audit approach to verify and test the
procedures controls.
and steps for • Identify a list of individuals to interview.
data gathering • Identify and obtain departmental policies, standards and
guidelines for review.
• Develop audit tools and methodology to test and verify
control.

Procedures for • Identify methods (including tools) to perform the evaluation.

evaluating the • Identify criteria for evaluating the test (similar to a test
test or review script for the IS auditor to use in conducting the
results evaluation).
• Identify means and resources to confirm the evaluation
was accurate (and repeatable, if applicable).

57
AUDIT PHASES (CONT’D)

Audit Phase Description

Procedures for • Determine frequency of communication.

• Prepare documentation for final report.
communication
with
management
Audit report • Disclose follow-up review procedures.
• Disclose procedures to evaluate/test operational efficiency
preparation and effectiveness.
• Disclose procedures to test controls.
• Review and evaluate the soundness of documents, policies
and procedures.

58