Book Image

CISA – Certified Information Systems Auditor Study Guide - Second Edition

By : Hemang Doshi
5 (3)
Book Image

CISA – Certified Information Systems Auditor Study Guide - Second Edition

5 (3)
By: Hemang Doshi

Overview of this book

With the latest updates and revised study material, this second edition of the Certified Information Systems Auditor Study Guide provides an excellent starting point for your CISA certification preparation. The book strengthens your grip on the core concepts through a three-step approach. First, it presents the fundamentals with easy-to-understand theoretical explanations. Next, it provides a list of key aspects that are crucial from the CISA exam perspective, ensuring you focus on important pointers for the exam. Finally, the book makes you an expert in specific topics by engaging you with self-assessment questions designed to align with the exam format, challenging you to apply your knowledge and sharpen your understanding. Moreover, the book comes with lifetime access to supplementary resources on an online platform, including CISA flashcards, practice questions, and valuable exam tips. With unlimited access to the website, you’ll have the flexibility to practice as many times as you desire, maximizing your exam readiness. By the end of this book, you’ll have developed the proficiency to successfully obtain the CISA certification and significantly upgrade your auditing career.

Related Content you might be interested in

Current Title:

Small book image
CISA – Certified Information Systems Auditor Study Guide - Second Edition
Hemang Doshi
Jun, 2023 | 330 pages
Small book image
Certified Information Security Manager Exam Prep Guide
Hemang Doshi
Dec, 2022 | 718 pages
Small book image
Certified Information Security Manager Exam Prep Guide
Hemang Doshi
Nov, 2021 | 616 pages
Small book image
Mastering Information Security Compliance Management
Greeshma M R | Adarsh Nair
Aug, 2023 | 236 pages
Table of Contents (14 chapters)
Preface
Preface
Online Exam-Prep Tools
Who This Book Is For
What This Book Covers
How to Get the Most out of This Book
Recorded Lectures
Requirements for the Online Content
Instructions for Unlocking the Online Content
Quick Access to the Website
Conventions Used
Get in Touch
Share Your Thoughts
Download a Free PDF Copy of This Book
1
Chapter 1: Audit Planning
Chapter 1: Audit Planning
The Contents of an Audit Charter
Audit Planning
Business Process Applications and Controls
Types of Controls
Risk-Based Audit Planning
Types of Audits and Assessments
Summary
Chapter Review Questions
Free Chapter
2
Chapter 2: Audit Execution
Chapter 2: Audit Execution
Audit Project Management
Sampling Methodology
Audit Evidence Collection Techniques
Data Analytics
Reporting and Communication Techniques
Control Self-Assessment
Summary
Chapter Review Questions
3
Chapter 3: IT Governance
Chapter 3: IT Governance
Enterprise Governance of IT (EGIT)
IT-Related Frameworks
IT Standards, Policies, and Procedures
Organizational Structure
Enterprise Architecture
Enterprise Risk Management
Maturity Model
Laws, Regulations, and Industry Standards Affecting the Organization
Summary
Chapter Review Questions
4
Chapter 4: IT Management
Chapter 4: IT Management
IT Resource Management
IT Service Provider Acquisition and Management
IT Performance Monitoring and Reporting
Quality Assurance and Quality Management in IT
Summary
Chapter Review Questions
5
Chapter 5: Information Systems Acquisition and Development
Chapter 5: Information Systems Acquisition and Development
Project Management Structure
Business Case and Feasibility Analysis
System Development Methodologies
Control Identification and Design
Summary
Chapter Review Questions
6
Chapter 6: Information Systems Implementation
Chapter 6: Information Systems Implementation
Testing Methodology
System Migration
Post-Implementation Review
Summary
Chapter Review Questions
7
Chapter 7: Information Systems Operations
Chapter 7: Information Systems Operations
Understanding Common Technology Components
IT Asset Management
Job Scheduling
End User Computing
System Performance Management
Problem and Incident Management
Change Management, Configuration Management, and Patch Management
IT Service-Level Management
Evaluating the Database Management Process
Summary
Chapter Review Questions
8
Chapter 8: Business Resilience
Chapter 8: Business Resilience
Business Impact Analysis
Data Backup and Restoration
System Resiliency
Business Continuity Plan
Disaster Recovery Plan
DRP – Test Methods
Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
Alternate Recovery Sites
Summary
Chapter Review Questions
9
Chapter 9: Information Asset Security and Control
Chapter 9: Information Asset Security and Control
Information Asset Security Frameworks, Standards, and Guidelines
Privacy Principles
Physical Access and Environmental Controls
Identity and Access Management
Biometrics
Summary
Chapter Review Questions
10
Chapter 10: Network Security and Control
Chapter 10: Network Security and Control
Network and Endpoint Devices
Firewall Types and Implementation
VPN
Voice over Internet Protocol (VoIP)
Wireless Networks
Email Security
Summary
Chapter Review Questions
11
Chapter 11: Public Key Cryptography and Other Emerging Technologies
Chapter 11: Public Key Cryptography and Other Emerging Technologies
Public Key Cryptography
Elements of PKI
Cloud Computing
Virtualization
Mobile Computing
Internet of Things (IoT)
Summary
Chapter Review Questions
12
Chapter 12: Security Event Management
Chapter 12: Security Event Management
Security Awareness Training and Programs
Information System Attack Methods and Techniques
Security Testing Tools and Techniques
Security Monitoring Tools and Techniques
Incident Response Management
Evidence Collection and Forensics
Summary
Chapter Review Questions
Why subscribe?
13
Other Books You May Enjoy
Other Books You May Enjoy
Share Your Thoughts
Download a Free PDF Copy of This Book

Audit Evidence Collection Techniques

Auditing is a process of providing an opinion (in the form of a written audit report) about the functions or processes under the scope of an audit. This audit opinion is based on the evidence obtained during the audit. Audit evidence is critical in the audit as audit opinions are based on reliability, competence, and objectivity. The objective and scope of an audit are the most significant factors when determining the extent of the data requirements.

Reliability of Evidence

An IS auditor should consider the sufficiency, competency, and reliability of the audit evidence. Evidence can be considered competent when it is valid and relevant. The following factors determine the reliability of audit evidence.

Independence of the Evidence Provider

The source of the evidence determines the reliability of the evidence. External evidence (obtained from a source outside the organization) is more reliable than evidence obtained from within the organization. A signed agreement with external parties is considered more reliable.

Qualifications of the Evidence Provider

The qualifications and experience of the evidence provider are major factors when determining the reliability of audit evidence. Information gathered from someone without relevant qualifications or experience may not be reliable.

Objectivity of the Evidence

Evidence based on judgment (involving subjectivity) is less reliable than objective evidence. Objective audit evidence does not have scope for different interpretations.

Timing of the Evidence

Audit evidence that is dynamic in nature (such as logs, files, and documents that are updated frequently) should be considered based on relevant timing.

The following figure highlights the evidence-related guidelines:

Figure 2.6: Evidence-related guidelines

Figure 2.6: Evidence-related guidelines

The rules shown in the preceding figure are very important from a CISA exam perspective. An IS auditor should also be aware of the best practices and techniques to gather evidence. These are discussed in the next section.

Evidence-Gathering Techniques

The following techniques are used by IS auditors to gather evidence during the audit process:

Factors

Descriptions

Review the organization’s structure

  • The IS auditor should review the organization’s structure and governance model.
  • This will help the auditor determine the control environment of the enterprise.

Review IS policies, processes, and standards
  • The audit team should review the IS policies, procedures, and standards and determine the effectiveness of the controls implemented.
  • The audit team should also determine whether IS policies and procedures are reviewed periodically and approved by a competent authority.

Observations
  • The IS auditor should observe the process to determine the following:
    • The skill and experience of the staff
    • The security awareness of the staff
    • The existence of segregation of duties (SoD)

Interview technique
  • The IS auditor should have the skill and competency to conduct interviews tactfully.
  • Interview questions should be designed in advance to ensure that all topics are covered.
  • To the greatest extent possible, interview questions should be open-ended to gain insight into the process.
  • The staff being interviewed should be made comfortable and encouraged to share information and areas of concern.

Re-performance
  • In re-performance, the IS auditor performs the activity that is originally performed by the staff of the organization.
  • Re-performance provides better evidence than other techniques.
  • It should be used when other methods do not provide sufficient assurance about control effectiveness.

Process walk-through
  • A process walk-through is done by the auditor to confirm the understanding of the policies and processes.

Table 2.8: Evidence-gathering factors and their descriptions

The evaluation of evidence is a subjective matter, and the auditor needs the relevant skills, experience, and qualifications to judge the relevance, sufficiency, and appropriateness of the audit evidence. In the case of inconclusive evidence, it is recommended to perform an additional test to confirm the accuracy of the audit findings.

Evidence should be evaluated based on the business environment and the complexity of the business processes. The following are some general guidelines for evidence evaluation:

  • In the case of unavailability of evidence, the auditor should report the relevant risk in the audit report.
  • Evidence obtained from a relevant third party is considered more reliable compared to internal evidence. An audit report by a qualified auditor is considered more reliable than a confirmation letter received from a third party.
  • Evidence collected by the audit team directly from the source is considered more reliable compared to evidence provided by business units.

Computer-Assisted Audit Techniques (CAATs) are the most effective auditing tools for computerized environments. The use of a CAAT ensures the reliability of audit evidence as data is directly collected, processed, and analyzed by the IS auditor.

Key Aspects from the CISA Exam Perspective

The following table covers important aspects from the CISA exam perspective:

CISA Questions

Possible Answers

What does the extent of the data requirements for the audit depend on?

The objective and scope of the audit.

What should audit findings be supported by?

Sufficient and appropriate audit evidence.

What is the most important reason to obtain sufficient audit evidence?

To provide a reasonable basis for drawing conclusions.

What is the most effective tool for obtaining audit evidence through digital data?

Computer-assisted auditing techniques.

What is the most important advantage of using CAATs for gathering audit evidence?

CAATs provide assurance about the reliability of the evidence collected.

What type of evidence is considered most reliable?

Evidence directly collected from the source by an IS auditor is considered to be the most reliable. The source of evidence should be independent.

What is the primary reason for a functional walk-through?

To understand the business process.

Table 2.9: Key aspects from the CISA exam perspective

Previous Section
End of Section 4
Next Section