This article covers –
Understanding the domain in general
Exam-oriented concepts that you should focus on
The article is divided into 3 parts, as follows:
Part 1 – Domain 1: Understanding the basics of Domain 1 Important concepts from an exam point of view – Audit charter, Audit planning and Risk analysis
Part 2 – Internal controls COBIT – 5, Risk based auditing, Risk treatment
Part 3 – Compliance testing Vs. Part 3 – Compliance testing Vs. Substantive testing
Understanding the domain in general
Weightage – This domain accounts for 21 percent of CISA’s exam (approximately 32 question).
This Knowledge Statement covers 11 topics related to auditing information systemsISACAIS Audit and Assurance Standards and Guidelines, Tools and Techniques, Code of Professional Ethics, and other applicable standards
Risk assessment concepts and tools and techniques for planning, examination, reporting, and follow-up
The role of IS in fundamental business processes
Control principles for information systems controls
Audit project management and risk-based audit planning
The scope, frequency and preservation of audits are affected by applicable laws and regulations
Techniques for obtaining, protecting and preserving audit evidence using evidence collection techniques
Different sampling methods and other substantive/data analytic procedures
Communication and reporting
Audit quality assurance (QA), systems and frameworks
There are many types of audits available and different methods to assess and rely on the work of other auditors and control entities.
Audit Charter outlines the authority, scope, and responsibilities for audit function
Audit committee or senior management should approve audit charter
Management committee is never involved in internal audit.
Here are some points to keep in mind:
CISA question on approval of audit charter should be answered by senior management based on all options.
Is the auditor’s role more to report audit observations and give an “independent audit view”?
Step 1 – Understanding the business’s mission, vision, and objectives. This includes information requirements according to CIA trait (Confidentiality Integrity and Availability Data).
Step 2 – Understanding the business environment
Step 3 – Review any previous work papers
Step 4 – Perform Risk analysis
Step 5 – Define audit scope and objectives
Step 6 – Create an audit plan/strategie
Step 7 – Assign audit personal/resources
Remember: Understanding the business mission, objectives, and business environment is the first step in audit planning. Next, analyze the risk involved based on the audit scope. Audit planning includes –
Short term planning – This is a plan that addresses audit issues that will be covered in the next year.
Long-term planning – Audit plans that take into account risks related to changes in the organization’s IT strategic direction and how they will affect the IT environment.
Risk is the combination of the likelihood of an event and its consequences (International Organization for Standardization [ISO] 31000 :2009).
Audit planning includes risk analysis. This helps to identify risks and vulnerabilities and the IS auditor determine the controls that will be used to mitigate them.
Remember: CISA candidates should be able distinguish between threat and vulnerability. Threat is anything that can be exploited to damage or destroy assets. Vulnerability refers to a weakness or gap in a security system that could be exploited by threats to gain unauthorized entry to an asset. Risk analysis covers Risk Management Framework – ISO 27005, ISO 31000
Risk Assessment Process – The process