Data Analytics

Data Analytics (DA) is the method of examining data or information. It helps you to understand the data by transforming raw data into usable and meaningful information.

Examples of the Effective Use of Data Analytics

The following are some examples of the use of DA:

• To determine whether a user is authorized by combining logical access files with the human resource employee database
• To determine whether events are authorized by combining the file library settings with change management system data and the date of file changes
• To identify tailgating by combining input with output records
• To review system configuration settings
• To review logs for unauthorized access

CAATs

CAATs are extremely useful to IS auditors for gathering and analyzing large and complex data during an IS audit. CAATs help an IS auditor collect evidence from different hardware, software environments, and data formats.

The following table presents a breakdown of the functions of CAAT tools:

Table 2.10: Breakdown of CAAT functions

A CAAT helps an IS auditor collect information independently. Information obtained through CAATs is considered more reliable.

Examples of the Effective Use of CAAT Tools

The following are some examples of use cases for CAAT tools:

• To determine the accuracy of transactions and balances
• For detailed analysis
• To ascertain compliance with IS general controls
• To ascertain compliance with IS application controls
• To assess network and operating system controls
• For vulnerability and penetration testing
• For the security scanning of source code and AppSec testing

Precautions while Using CAAT

An auditor should be aware of the following precautions when using CAAT tools:

• Ensure the integrity of imported data by safeguarding its authenticity, integrity, and confidentiality
• Obtain approval for installing the CAAT software on the auditee servers
• Obtain only read-only access when using CAATs on production data
• Edits/modifications should be applied to duplicate data and the integrity of the original data should be ensured

Continuous Auditing and Monitoring

A CISA candidate should understand the difference between continuous auditing and continuous monitoring:

Table 2.11: Differences between continuous auditing and continuous monitoring

Continuous auditing and continuous monitoring are mutually exclusive. Continuous assurance can be ensured if both continuous monitoring and continuous auditing are in place. Generally, the results of continuous auditing are the precursor for the introduction of a continuous monitoring process.

Continuous Auditing Techniques

For IS audits, continuous audit techniques are extremely important tools. The following are the five widely used continuous audit tools.

Integrated Test Facility

The following are the features of an Integrated Test Facility (ITF).

In an ITF, a fictitious entity is created in the production environment:

• The auditor may enter test or dummy transactions and check the processing and results of these transactions for correctness.
• Processed results and expected results are evaluated to check the proper functioning of systems.
• For example, with the ITF technique, a test transaction is entered. The processing results of the test transaction are compared with the expected results to determine the accuracy of processing. If the processed results match the expected results, then it determines that the processing is correct. Once the verification is complete, test data is deleted from the system.

System Control Audit Review File

The following are the features of a System Control Audit Review File (SCARF):

• In this technique, an audit module is embedded (inbuilt) into the organization’s host application to track transactions on an ongoing basis.
• A SCARF is used to obtain data or information for audit purposes.
• SCARFs record transactions above a specified limit or deviation-/exception-related transactions. These transactions are then reviewed by the auditor.
• SCARFs are useful when regular processing cannot be interrupted.

Snapshot Technique

The following are the features of the snapshot technique:

• This technique captures snapshots or pictures of the transaction as it is processed at different stages in the system.
• Details are captured both before and after the execution of the transaction. The correctness of the transaction is verified by validating the before-processing and after-processing snapshots of the transactions.
• Snapshots are useful when an audit trail is required.
• The IS auditor should consider the following significant factors when working with this technique:
  • At what location snapshots are captured
  • At what time snapshots are captured
  • How the reporting of snapshot data is done

Audit Hook

The following are the features of an audit hook:

• Audit hooks are embedded in the application system to capture exceptions.
• The auditor can set different criteria to capture exceptions or suspicious transactions.
• For example, with the close monitoring of cash transactions, the auditor can set criteria to capture cash transactions exceeding $10,000. All these transactions are then reviewed by the auditor to identify fraud, if any.
• Audit hooks are helpful in the early identification of irregularities, such as fraud or error.
• Audit hooks are generally applied when only selected transactions need to be evaluated.

Continuous and Intermittent Simulation

The following are the features of Continuous and Intermittent Simulation (CIS):

• CIS replicates or simulates the processing of the application system.
• In this technique, a simulator identifies transactions as per the predefined parameters. Identified transactions are then audited for further verification and review.
• CIS compares its own results with the results produced by application systems. If any discrepancies are noted, it is written to the exception log file.
• CIS is useful to identify the transactions as per the predefined criteria in a complex environment.

The following table summarizes the features of continuous audit tools:

Table 2.12: Types of continuous audit tools and their features

An IS auditor should be aware of the methods and procedures through which analysis and findings are reported to the audit committee and senior management. The effective reporting of audit findings and communicating the findings to all the stakeholders are very important parts of audit execution; these are covered in more detail in the next section.

Key Aspects from the CISA Exam Perspective

The following table covers important aspects from the CISA exam perspective:

Table 2.13: Key aspects from the CISA exam perspective