Book Image

CISA – Certified Information Systems Auditor Study Guide

By : Hemang Doshi
Book Image

CISA – Certified Information Systems Auditor Study Guide

By: Hemang Doshi

Overview of this book

Are you looking to prepare for the CISA exam and understand the roles and responsibilities of an information systems (IS) auditor? The CISA - Certified Information Systems Auditor Study Guide is here to help you get started with CISA exam prep. This book covers all the five CISA domains in detail to help you pass the exam. You’ll start by getting up and running with the practical aspects of an information systems audit. The book then shows you how to govern and manage IT, before getting you up to speed with acquiring information systems. As you progress, you’ll gain knowledge of information systems operations and understand how to maintain business resilience, which will help you tackle various real-world business problems. Finally, you’ll be able to assist your organization in effectively protecting and controlling information systems with IT audit standards. By the end of this CISA book, you'll not only have covered the essential concepts and techniques you need to know to pass the CISA certification exam but also have the ability to apply them in the real world.

Related Content you might be interested in

Current Title:

Small book image
CISA – Certified Information Systems Auditor Study Guide
Hemang Doshi
Aug, 2020 | 590 pages
Small book image
Certified Information Security Manager Exam Prep Guide
Hemang Doshi
Dec, 2022 | 718 pages
Small book image
Certified Information Security Manager Exam Prep Guide
Hemang Doshi
Nov, 2021 | 616 pages
Small book image
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
Shobhit Mehta
Sep, 2023 | 316 pages
Table of Contents (19 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
1
Section 1: Information System Auditing Process
Section 1: Information System Auditing Process
Free Chapter
2
Audit Planning
Audit Planning
The content of an audit charter
Audit planning
Business process applications and controls
Types of controls
Risk-based audit planning
Types of audit and assessment
Summary
Assessments
3
Audit Execution
Audit Execution
Audit project management
Sampling methodology
Audit evidence collection techniques
Data analytics
Reporting and communication techniques
Control self-assessment
Summary
Assessments
4
Section 2: Governance and Management of IT
Section 2: Governance and Management of IT
5
IT Governance
IT Governance
IT enterprise governance (EGIT)
IT-related frameworks
IT standards, policies, and procedures
Organizational structure
Enterprise architecture
Enterprise risk management
Maturity model
Laws, regulations, and industry standards affecting the organization
Summary
Assessments
6
IT Management
IT Management
IT resource management
IT service provider acquisition and management
IT performance monitoring and reporting
Quality assurance and quality management in IT
Summary
Assessment answers
7
Section 3: Information Systems Acquisition, Development, and Implementation
Section 3: Information Systems Acquisition, Development, and Implementation
8
Information Systems Acquisition and Development
Information Systems Acquisition and Development
Project management structure
Business cases and feasibility analysis
System development methodologies
Control identification and design
Summary
Assessments
9
Information Systems Implementation
Information Systems Implementation
Testing methodology
System migration
Post-implementation review
Summary
Assessments
10
Section 4: Information System Operations and Business Resilience
Section 4: Information System Operations and Business Resilience
11
Information System Operations
Information System Operations
Understanding common technology components
IT asset management
Job scheduling
End user computing
System performance management
Problem and incident management
Change management, configuration management, and patch management
IT service level management
Evaluating the database management process
Summary
Assessment
12
Business Resilience
Business Resilience
Business impact analysis
Data backup and restoration
System resiliency
Business continuity plan
Disaster recovery plan
DRP – test methods
Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
Alternate recovery site
Summary
Assessment
13
Section 5: Protection of Information Assets
Section 5: Protection of Information Assets
14
Information Asset Security and Control
Information Asset Security and Control
Information asset security frameworks, standards, and guidelines
Privacy principles
Physical access and environmental controls
Identity and access management
Biometrics
Summary
Assessments
15
Network Security and Control
Network Security and Control
Network and endpoint devices
Firewall types and implementation
VPN
Voice over Internet Protocol (VoIP)
Wireless networks
Email security
Summary
Assessments
16
Public Key Cryptography and Other Emerging Technologies
Public Key Cryptography and Other Emerging Technologies
Public key cryptography
Elements of PKI
Cloud computing
Virtualization
Mobile computing
Summary
Assessments
17
Security Event Management
Security Event Management
Security awareness training and programs
Information system attack methods and techniques
Security testing tools and techniques
Security monitoring tools and techniques
Incident response management
Evidence collection and forensics
Summary
Assessments
18
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

Risk-based audit planning

CISA aspirants are expected to understand the following aspects of risk-based audit planning:

  • What is the risk?
  • Vulnerabilities and threats
  • Inherent risk and residual risk
  • The advantages of risk-based audit planning
  • Audit risk
  • The steps of the risk-based audit approach
  • The steps of risk assessment
  • The four methodologies for risk treatment

What is risk?

Let's look at some of the widely accepted definitions of risk.

Most of the CISA questions are framed around Risk. CISA candidates should have a thorough understanding of the term risk. Multiple definitions/formulas are available for risk. If you look carefully, every definition speaks either directly or indirectly about two terms: probability and impact.

Some of the more commonly used definitions of risk are presented here:

  • ERM-COSO defines risk as "Potential events that may impact the entity."
  • The Oxford English Dictionary defines risk as "The probability of something happening multiplied by the resulting cost or benefit if it does."
  • Business Dictionary.com defines risk as "The probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preventive action."
  • ISO 31000 defines risk as "The effect of uncertainty on objectives."

In simple words, the 'risk' is the product of probability and impact:

Probability and impact are equally important when identifying risk. For example, say that the probability or likelihood of a product being damaged is very high, with a value of “1”; however, say that product barely costs anything and so the impact is “0” even if the product is damaged.

So, the risk in this scenario would be calculated as follows:

Risk = P * I

Risk = 1 * 0 = 0

Understanding vulnerability and threat

Another way of understanding risk is by understanding the notion of vulnerability and threat. In simple terms, a vulnerability is a weakness and a threat is something that can exploit said weakness. Again, both elements (V and T) should be present in order to constitute a risk.

There is no threat to a useless system, even if it is highly vulnerable. As such, the risk for that system would be nil in spite of the high vulnerability:

Vulnerability

Threat

A weakness in a system.

Generally, a vulnerability can be controlled by the organization.

An element that exploits a weakness.

Generally, a threat is not in the control of the organization.

Vulnerabilities are mostly internal elements.

Threats are mostly external elements.

Examples include weak coding, missing anti-virus, weak access control, and others.

Examples include hackers, malware, criminals, natural disasters, and so on.

There are various definitions and formulas for risks. However, for the CISA certification, please remember only the following two formulas:

Risk = Probability*Impact

Risk = A*V*T

In the second formula, A, V, and T are the value of, vulnerability of, and threats to assets, respectively.

Understanding inherent risk and residual risk

A CISA candidate should understand the difference between inherent risk and residual risk:

Inherent risk

Residual risk

The risk that an activity poses, excluding any controls or mitigating factors

The risk that remains after taking controls into account

Gross risk – that is, the risk before controls are applied

Net risk – that is, the risk after controls are applied

The following is the formula for residual risk:

Residual Risk = Inherent Risk - Control

Advantages of risk-based audit planning

Risk-based audit planning is essential to determine an audit's scope (the areas/processes/assets to be audited) effectively. It helps to deploy audit resources to areas within an organization that are subject to the greatest risk.

The following are the advantages of risk-based audit planning:

  • Effective risk-based auditing reduces the audit risk that arises during an audit.
  • Risk-based auditing is a proactive approach that helps in identifying issues at an early stage.
  • One of the major factors in a risk assessment is compliance with contractual and legal requirements. Risk-based auditing helps an organization to identify any major deviation from contractual and legal requirements. This improves compliance awareness throughout the organization.
  • Risk-based auditing promotes preventive controls over reactive measures.
  • Risk-based auditing helps to align internal audit activities with the risk management practices of the organization.

Audit risk

Audit risk refers to the risk that an auditor may not be able to detect material errors during the course of an audit. Audit risk is influenced by inherent risk, control risk, and detection risk. The following list describes each of these risks:

  • Inherent risk: This refers to risk that exists before applying a control.
  • Control risk: This refers to risk that internal controls fail to prevent or detect.
  • Detection risk: This refers to risk that internal audits fail to prevent or detect.

The following figure explains the relationship between all three risks:

The following is the formulae for calculating the audit risk:

Audit Risk = Inherent Risk X Control Risk x Detection Risk

An IS auditor should have sound knowledge of the audit risk when planning auditing activities. Some ways to minimize audit risk are listed here:

  • Conduct risk-based audit planning
  • Review the internal control system
  • Select appropriate statistical sampling
  • Assess the materiality of processes/systems in the audit scope

It is the experience and expertise of the auditor that minimizes audit risk. However, it must be noted that the auditor is a watchdog and not a bloodhound.

Risk-based auditing approach

In a risk-based auditing approach, it is important to understand the steps to be performed by the IS auditor. The following structured approach will help to minimize the audit risk and provide assurance about the state of affairs of the auditee organization:

  1. Step 1 – Acquire pre-audit requirements:
    • Knowledge about industry and regulatory requirements
    • Knowledge about applicable risk to the concerned business
    • Prior audit results
  2. Step 2 – Obtain information about internal controls:
    • Get knowledge about the control environment and procedures
    • Understand control risks
    • Understand detection risks
  1. Step 3 – Conduct compliance test:
    • Identify the controls to be tested
    • Determine the effectiveness of the controls
  2. Step 4 – Conduct a substantive test:
    • Identify the process for the substantive test
    • See that the substantive test includes analytical procedures, detail tests of account balances, and other procedures

Risk assessments

A risk assessment includes the following steps:

Risk assessments should be conducted at regular intervals to account for changes in risk factors. The risk assessment process has an iterative life cycle. Risk assessments should be performed methodically and the outputs should be comparable and reproducible.

Also, it is important to determine the risk appetite of the organization. Risk appetite helps to prioritize various risks for mitigation.

Risk response methodology

Risk response is the process of dealing with a risk to minimize its impact. It is a very important step in the risk management process. Here are the four main risk response methodologies:

  • Risk mitigation/risk reduction: Take some action to mitigate/reduce the risk.
  • Risk avoidance: Change the strategy or business process to avoid the risk.
  • Risk acceptance: Decide to accept the risk.
  • Risk transfer: Transfer the risk to a third party. Insurance is the best example.

The risk culture and risk appetite of the organization in question determines the risk response method. Of the preceding responses, the most widely used response is risk mitigation by implementing some level of controls.

Let's understand the preceding risk response methodologies with a practical example. Say that a meteorological department has forecasted heavy rain during the day and we need to attend CISA lectures. The risk of rain can be handled in the following manner:

  • The majority of candidates will try to mitigate the risk of rain by arranging for an umbrella/raincoat to safeguard them from potential rain (mitigation of risk).
  • Some courageous candidates won't worry about carrying an umbrella/raincoat (risk acceptance).
  • Some candidates, such as me, will not attend classes (risk avoidance).

It's not always feasible to mitigate all the risk at an organizational level. Risk-free enterprise is an illusion.

You cannot run a business without taking risks. Risk management is the process of determining whether the amount of risk taken by an organization is in accordance with the organization's capabilities and needs.

Top-down and bottom-up approaches to policy development

Let's understand the difference between the top-down and bottom-up approaches to policy development.

The top-down approach

In the top-down approach, a policy is developed and designed from a senior management perspective. In a top-down approach, policies are developed and aligned with business objectives. Involvement of senior management in designing the risk scenario is of the utmost importance. One advantage of the top-down approach to developing organizational policies is that it ensures consistency across the organization.

The bottom-up approach

In the bottom-up approach, polices are designed and developed from the process owner's/employee's perspective. The bottom-up approach begins by defining operational-level requirements and policies. The bottom-up approach is derived from and implemented on the basis of the results of risk assessments.

The best approach

An organization should make use of both the top-down approach and the bottom-up approach when developing organizational policies. They are complementary to each other and should be used simultaneously. In a top-down approach, major risks to business objectives are addressed, whereas in the bottom-up approach, process-level risks are addressed.

Key aspects from CISA exam perspective

The following table covers the important aspects from the CISA exam perspective:

CISA questions

Possible answers

The most important step in a risk assessment is to identify

Threats and vulnerabilities

In risk-based audit planning, an IS auditor's first step is to identify what?

High risk areas

Once threats and vulnerabilities are identified, what should be the next step?

Identify and evaluate existing controls

What is the advantage of risk based audit planning?

Resources can be utilized for high risk areas

What does the level of protection of information assets depend on?

Criticality of assets

What is risk that is influenced by the actions of an auditor known as?

Detection risk

What is audit risk?

Audit risk is the sum total of inherent risk, control risk, and detection risk

What is risk the product of?

Probability and impact

What are the results of risk management processes used for?

Designing the control

Whose responsibility is the management of risk to an acceptable level?

Senior management

What is the absence of proper security measures known as?

Vulnerability

What is the advantage of the bottom-up approach for the development of organizational policies?

Policies are created on the basis of risk analysis

What is risk before controls are applied known as?

Inherent risk/gross risk (after the implementation of controls, it is known as residual risk/net risk)

Self-evaluation questions

  1. Which of the following is the most critical aspect of a risk analysis?
    1. Identifying competitors
    2. Identifying the existing controls
    3. Identifying vulnerabilities
    4. Identifying the reporting matrix of the organization
  2. What is the initial step in risk-focused audit planning?
    1. Identifying the role and responsibility of the relevant function
    2. Identifying high-risk processes
    3. Identifying the budget
    4. Identifying the profit function
  3. What is the main objective of conducting a risk assessment?
    1. To determine the segregation of duties for critical functions
    2. To ensure that critical vulnerabilities and threats are recognized
    3. To ensure that regulations are complied with
    4. To ensure business profitability
  4. What should be the next step of an IS auditor after identifying threats and vulnerabilities in a business process?
    1. Identifying the relevant process owner
    2. Identifying the relevant information assets
    3. Reporting the threat and its impact to the audit committee
    4. Identifying and analyzing the current controls
  1. Which of the following is the main benefit of risk-based audit planning?
    1. The communication of audit planning to the client in advance
    2. The completion of the audit activity within the allocated budget constraints
    3. The use of the latest auditing technology
    4. The focus on high-risk areas
  2. Which of the following should be the primary focus when considering the level of security of an IT asset?
    1. The criticality of the IT asset
    2. The value of IT the asset
    3. The owner of IT the asset
    4. The business continuity arrangement for the IT asset
  1. The actions of the IS auditor is most likely to influence which of the following risks?
    1. Inherent
    2. Detection
    3. Control
    4. Business
  2. What is the risk of an inadequate audit methodology known as?
    1. The procedural aspect
    2. Control risk
    3. Detection risk
    4. Residual risk
  3. Particular threat of an overall business risk indicated as:
    1. The product of the probability and impact
    2. The probability of threat realization
    3. The valuation of the impact
    4. The valuation of the risk management team
  4. Which of the following is the first step in performing risk assessments of information systems?
    1. Reviewing the appropriateness of existing controls
    2. B. Reviewing the effectiveness of existing controls
    3. Reviewing the asset-related risk surveillance mechanism
    4. Reviewing the threats and vulnerabilities impacting the assets
  1. What is the first step in evaluating the security controls of a data center?
    1. Determining the physical security arrangement
    2. Evaluating the threats and vulnerabilities applicable to the data center site
    3. Evaluating the hiring process of security staff
    4. Determining the logical security arrangements
  2. What does the classification of information assets help to ensure?
    1. The protection of all IT assets
    2. That a fundamental level of security is implemented irrespective of the value of assets
    3. That information assets are subject to suitable levels of protection
    4. That only critical IT assets are protected
  1. Which of the following should be performed first in a risk-focused audit?
    1. Analyzing inherent risk
    2. Analyzing residual risk
    3. Analyzing the controls assessment
    4. Analyzing the substantive assessment
  2. In a risk-focused audit, which of the following is the most critical step?
    1. Determining the high-risk processes
    2. Determining the capability of audit resources
    3. Determining the audit procedure
    4. Determining the audit schedule
  3. Which of the following options best describes the process of assessing a risk?
    1. Subject-oriented
    2. Object-oriented
    3. Mathematics-oriented
    4. Statistics-oriented
  4. What is the outcome of a risk assessment exercise utilized for?
    1. Estimating profits
    2. Calculating the ROI
    3. Implementing relevant controls
    4. Conducting user acceptance testing
  1. With whom does the responsibility of managing risk to an acceptable level rest?
    1. The risk management team
    2. Senior business management
    3. The chief information officer
    4. The chief security officer
  2. Which of the following is a major factor in the evaluation of IT risks?
    1. Finding vulnerabilities and threats that are applicable to IT assets
    2. Analyzing loss expectancy
    3. Benchmarking with industry
    4. Analyzing previous audit reports
  1. An IS auditor has determined a few vulnerabilities in a critical application. What should their next step be?
    1. Reporting the risk to the audit committee immediately
    2. Determining a system development methodology
    3. Identifying threats and their likelihood of occurrence
    4. Recommending the development of a new system
  2. What does a lack of appropriate control measures indicate?
    1. Threat
    2. Magnitude of impact
    3. Probability of occurrence
    4. Vulnerability
  3. Which of the following is the first step in a risk management program?
    1. Determining a vulnerability
    2. Determining existing controls
    3. Identifying assets
    4. Conducting a gap analysis
  4. What is the advantage of the bottom-up approach to the development of enterprise policies?
    1. They cover the whole organization.
    2. They are created on the basis of risk analysis.
    3. They are reviewed by top management.
    4. They support consistency of procedure.
  1. The mitigation of risk can be done through which of the following?
    1. Controls
    2. Outsourcing
    3. Audit and certification
    4. Service level agreements (SLAs)
  2. The most important factor when implementing controls is ensuring that the control does which of the following?
    1. Helps to mitigate risk
    2. Does not impact productivity
    3. Is cost effective
    4. Is automated
  1. The absence of internal control mechanisms is known as what?
    1. Inherent risk
    2. Control risk
    3. Detection risk
    4. Correction risk
  2. Which of the following represents the risk that the controls will not prevent, correct, or detect errors in a timely manner?
    1. Inherent risk
    2. Control risk
    3. Detection risk
    4. Correction risk
  3. What is the primary consideration when evaluating the acceptable level of risk?
    1. The acceptance of risk by higher management
    2. That not all risks need to be addressed
    3. That all relevant risks must be recognized and documented for analysis
    4. The involvement of line management in risk analysis
  4. What is the best approach when focusing an audit on a high-risk area?
    1. Perform the audit; the control failures will identify the areas of highest risk
    2. Perform the audit and then perform a risk assessment
    3. Perform a risk assessment first and then concentrate control tests in the high-risk areas
    4. Increase sampling rates in high-risk areas
  1. In a risk-based audit approach, which of the following is the least relevant to audit planning?
    1. The adoption of a mature technology by the organization
    2. The risk culture and risk awareness of the organization
    3. The legal regulatory impact
    4. Previous audit findings
Previous Section
End of Section 6
Next Section