Professional Documents
Culture Documents
CISA DOMAIN 1:
THE PROCESS OF AUDITING INFORMATION SYSTEMS
Day 1
Suriname College of Accountancy
CISA Program
2
Risk Analysis
Internal Controls
Internal Control Objectives
IS Control Objectives
COBIT
General Controls
IS Controls
Suriname College of Accountancy
Program of Domain 1 (3)
6
Classification of Audits
Audit Programs
Audit Methodology
Fraud Detection
Suriname College of Accountancy
Program of Domain 1 (4)
7
Risk-based Auditing
Audit Risk and Materiality
Assessing & Treating Risks
Risk Assessment Techniques
Suriname College of Accountancy
Program of Domain 1 (5)
8
Audit Evidence
Sampling
Suriname College of Accountancy
Program of Domain 1 (6)
9
Audit Documentation
Suriname College of Accountancy
Program of Domain 1 (7)
10
Exam training
CISA’s road ahead
Closing session
12
Suriname College of Accountancy
OVERVIEW
There are five tasks within the domain covering the process of auditing information
systems:
B. clearly state audit objectives for, and the delegation of, authority to
the maintenance and review of internal controls.
A1-15 (A)
D) is the correct answer.
Justification:
A. The audit charter should not be subject to changes in technology and should not
significantly change over time. The chartcr should be approved at the highest level of
management.
B. An audit chartcr will state the authority and reporting requirements for the audit, but
not the details of maintenance of internal controls.
C. An audit charter would not be at a detailed level and, therefore, would not include
specific audit objectives or procedures.
D). An audit charter should state management's objectives for and delegation of
authority to IS auditors.
Suriname College of Accountancy
Exam training
18
A1-72 (A)
D is the correct answer.
Justification:
A. Short-term and long-term planning is the responsibility of audit
management.
B. The objectives and scope of each IS audit should be agreed on in an
engagement letter. The charter would spccify the objectives and scope of
the audit function but not of individual engagements.
C. A training plan, based on the audit plan, should be developed by audit
management.
D). An IS audit charter establishes the role of the information systems
audit function. The charter should describe the overall authority, scope
and responsibilities of the audit function. It should be approved by the
highest level of management and, if available, by the audit committee.
Suriname College of Accountancy
IS Audit Resource Management
20
Annual planning:
Short term – audit issues to be covered;
Long term – changes in IT strategic direction;
To perform audit planning, the IS auditor should perform the following steps:
1. Gain an understanding of the business's mission, objectives, purpose and
processes, which include information and processing requirements such
as availability, integrity, security and business technology, and
information confidentiality.
Assess whether the management of the organization and the IS function have
considered the relevant external requirements in making plans and in setting
policies, standards and procedures, as well as business application features;
A1-99 (A)
A is the correct answer.
Justification:
A. The effect of applicable statutory requirements must be factored in while
planning an IS audit— the IS auditor has no options in this respect because there
can be no limitation of scope in respect to statutory requirements.
C. Industry best practices help plan an audit; however, best practices are not
mandatory and can be deviated from to meet organization objectives.
A. Process narrative
B. Inquiry
C. Reperformance
D. Walk-through
Suriname College of Accountancy
Exam training
29
A1-101 (A)
D) is the correct answer.
Justification:
A. Process narratives may not be current or complete and may not reflect the actual
process in operation.
A1-3 (A)
C is the correct answer.
Justification:
A. Auditing the new enterprise resource planning (ERP) application does not reflect a risk-based approach.
Although ERP systems typically contain sensitive data and may present risk of data loss or disclosure to the
organization, without a risk assessment, the decision to solely audit the ERP system is not a risk-based
decision.
B. Auditing the e-commerce server because it was not audited last year does not reflect a risk-based
approach. In addition, the IT manager may know about problems with the e-commerce server and may be
intentionally trying to steer the audit away from that vulnerable area. Although at first glance e-commcrce
may seem to be the most risky area, an assessment must be conducted rather than relying on the judgment
of the IS auditor or IT manager.
C. The best course of action is to conduct a risk assessment and design the audit plan to cover the areas
of highest risk. ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement
1202.1: "The IS audit and assurance function shall use an appropriate risk assessment approach and
supporting methodology to develop the overall IS audit plan and determine priorities for the effective
allocation of IS audit resources."
D. The creation of the audit plan should be performed in cooperation with management and based on risk.
The IS auditor should not arbitrarily decide on what needs to be audited.
32
Suriname College of Accountancy
The framework for the ISACA IT audit and assurance standards provides
for multiple levels as follows:
G1 Using the Work of Other Auditors G22 Businesstoconsumer (B2C) Ecommerce Review
G2 Audit Evidence Requirement G23 System Development Life Cycle (SDLC) Review
G3 Use of ComputerAssisted Audit Techniques (CAATs) G24 Internet Banking
G4 Outsourcing of IS Activities to Other Organizations G25 Review of Virtual Private Networks
G5 Audit Charter G26 Business Process Reengineering (BPR) Project Reviews
G6 Materiality Concepts for Auditing Information Systems G27 Mobile Computing
G7 Due Professional Care G28 Computer Forensics
G8 Audit Documentation G29 Postimplementation Review
G9Audit Considerations for Irregularities G30 Competence
G10 Audit Sampling G31 Privacy
G11 Effect of Pervasive IS Controls G32 Business Continuity Plan Review From IT Perspective
G12 Organizational Relationship and Independence G33 General Considerations on the Use of the Internet
G13 Use of Risk Assessment in Audit Planning G34 Responsibility, Authority and Accountability
G14 Application Systems Review G35 Followup Activities
G16 Effect of Third Parties on Organization's IT Controls G36 Biometric Controls
G17 Effect of Nonaudit Role on IS Auditor's Independence G37 Configuration Management
G18 IT Governance G38 Access Control
G19 Irregularities and Illegal Acts G39 IT Organizations
G20 Reporting G40 Review of Security Management Practices
G21 Enterprise Resource Planning (ERP) Systems Review G41 Return on Security Investment (ROSI)
G42 Continuous Assurance
Suriname College of Accountancy
P1 IS Risk Assessment
P2 Digital Signatures
P3 Intrusion Detection
P4 Viruses and Other Malicious Code
P5 Control Risk Selfassessment
P6 Firewalls
P7 Irregularities and Illegal Acts
P8 Security Assessment—Penetration Testing and Vulnerability Analysis
P9 Evaluation of Management Controls Over Encryption Methodologies
P10 Business Application Change Control
P11 Electronic Funds Transfer (EFT)
Suriname College of Accountancy
Information Technology Assurance Framework
39
(ITAF) (1)
General Standards—The guiding principles under which the IT assurance
profession operates.
A1-37 (A)
C is the correct answer.
Justification:
A. Data flow diagrams do not order data in a hierarchy.
B. A data dictionary may be used to document data definitions, but the data flow
diagram is used to document how data move through a process.
C. Data How diagrams are used as aids to graph or chart data flow and storage.
They trace data from their origination to destination, highlighting the paths and
storage of data.
D. The purpose of a data flow diagram is to track the movement of data through a
process and is not primarily to document or indicate how data are generated.
Suriname College of Accountancy
Exam training
42
A. an understanding of workflows.
A1-39 (A)
C is the correct answer.
Justification:
A. A workflow diagram would provide information about the roles of different
employees. This is not the purpose of an organizational chart.
B. The organizational chart is a key tool for an auditor to understand roles and
responsibilities and reporting lines, but is not used for examining communications
channels.
A1-88 (A)
A is the correct answer.
Justification:
A. Participating in the design of the risk management framework involves
designing controls, which will compromise the independence of the IS auditor to
audit the risk management process.
D. Due diligence reviews are a type of audit generally related to mergers and
acquisitions.
46
Suriname College of Accountancy
Q&A
CYRIL.SOERI@TAH.SR / GREGORY.TAI-APIN@BNETS.SR
MOB: 719 00 47 / 89 29 293