Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
CISA – Certified Information Systems Auditor Study Guide

You're reading from   CISA – Certified Information Systems Auditor Study Guide Ace the CISA exam with practical examples and over 1000 exam-oriented practice questions

Arrow left icon
Product type Paperback
Published in Oct 2024
Publisher Packt
ISBN-13 9781835882863
Length 356 pages
Edition 3rd Edition
Arrow right icon
Author (1):
Arrow left icon
Hemang Doshi Hemang Doshi
Author Profile Icon Hemang Doshi
Hemang Doshi
Arrow right icon
View More author details
Toc

Table of Contents (15) Chapters Close

Preface 1. Chapter 1: Audit Planning 2. Chapter 2: Audit Execution FREE CHAPTER 3. Chapter 3: IT Governance 4. Chapter 4: IT Management 5. Chapter 5: Information Systems Acquisition and Development 6. Chapter 6: Information Systems Implementation 7. Chapter 7: Information Systems Operations 8. Chapter 8: Business Resilience 9. Chapter 9: Information Asset Security and Control 10. Chapter 10: Network Security and Control 11. Chapter 11: Public Key Cryptography and Other Emerging Technologies 12. Chapter 12: Security Event Management 13. Chapter 13: Accessing the Online Practice Resources 14. Other Books You May Enjoy

Data Analytics

DA is the method of examining data or information. It helps you to understand the data by transforming raw data into usable and meaningful information. DA plays an important role in modern audit execution, as it enhances the auditor’s ability to assess risks, identify anomalies, and provide more insightful findings.

The following are some example use cases of DA:

  • To determine whether a user is authorized by combining logical access files with the human resources employee database
  • To determine whether events are authorized by combining the file library settings with change management system data and the date of file changes
  • To identify tailgating by combining input records with output records
  • To review system configuration settings
  • To review logs for unauthorized access

CAATs take the data analysis process a step further by simplifying the examination of complex data. CAATs are discussed in detail in the next section.

CAATs

CAATs are extremely useful to IS auditors for gathering and analyzing large and complex data during an IS audit. CAATs help an IS auditor collect evidence from different hardware, software environments, and data formats.

The following table presents a breakdown of the functions of CAAT tools:

CAAT Tools

Functions

General audit software

This is a standard type of software that is used to read and access data directly from various database platforms.

Utility and scanning software

This helps in generating reports of the database management system.

It scans all the vulnerabilities in the system.

Debugging

This helps in identifying and removing errors from computer hardware or software.

Test data

This is used to test processing logic, computations, and controls programmed in computer applications.

Table 2.10: Breakdown of CAAT functions

A CAAT helps an IS auditor collect information independently. Information obtained through CAATs is considered more reliable than the manual process.

The following are some example use cases for CAAT tools:

  • To determine the accuracy of transactions and balances
  • For a detailed analysis of any given process
  • To ascertain compliance with IS general controls
  • To ascertain compliance with IS application controls
  • To assess network and operating system controls
  • For vulnerability scanning and penetration testing
  • For the security scanning of source code and AppSec testing

Precautions While Using CAAT

An auditor should be aware of the following precautions when using CAAT tools:

  • Ensure the integrity of imported data by safeguarding its authenticity, integrity, and confidentiality.
  • Obtain approval for installing the CAAT software on the auditee servers.
  • Obtain only read-only access when using CAATs on production data. This will ensure that no one can edit the data.
  • Edits/modifications should be applied to duplicate data and the integrity of the original data should be ensured.

Continuous Auditing and Monitoring

Continuous auditing and monitoring processes are used to regularly review and assess an organization’s IT activities as well as data to detect anomalies, trends, and potential issues as they occur and to ensure compliance and improve overall performance.

A CISA candidate should understand the difference between continuous auditing and continuous monitoring:

Continuous Auditing

Continuous Monitoring

In continuous auditing, an audit is conducted in a real-time or near-real-time environment. In continuous auditing, the gap between operations and an audit is much shorter than under a traditional audit approach.

In continuous monitoring, the relevant process of a system is observed on a continuous basis.

For example, high payouts are audited immediately after a payment is made.

For example, antivirus or IDSs may continuously monitor a system or a network for abnormalities.

Table 2.11: Differences between continuous auditing and continuous monitoring

Continuous auditing and continuous monitoring are mutually exclusive. Continuous assurance can be ensured if both continuous monitoring and continuous auditing are in place. Generally, the results of continuous auditing are the precursor to the introduction of a continuous monitoring process.

The following subsections discuss five widely used continuous audit tools.

Integrated Test Facility

An integrated test facility (ITF) is a technique used in auditing to test a system’s processes and controls by inserting test data into a live production system without affecting the actual data. This helps auditors evaluate how well the system handles transactions and identify any potential issues.

In an ITF, a fictitious transaction is created in the production environment.

The auditor may enter test or dummy transactions and check the processing and results of these transactions for correctness. Then, the auditor evaluates the processed results and expected results to verify the proper functioning of the systems. If the processed results match the expected results, then the auditor determines that the processing is correct. Once the verification is complete, test data is deleted from the system.

System Control Audit Review File

A system control audit review file (SCARF) is a technique in which an audit module is embedded into (built in) the organization’s host application to track transactions on an ongoing basis. A SCARF is used to obtain data or information for audit purposes. SCARFs record transactions above a specified limit or deviation-/exception-related transactions. These transactions are then reviewed by the auditor. For example, a company may decide to capture a payout greater than $10,000 in a separate file and then such transactions can be reviewed by the auditor to verify whether the limit has been adhered to.

SCARFs are useful when regular processing cannot be interrupted, such as in an online banking system.

Snapshot Technique

The snapshot technique captures snapshots or pictures of a transaction as it is processed at different stages in the system. Details are captured both before and after the execution of the transaction. The correctness of a transaction is verified by validating its pre-processing and post-processing snapshots. Snapshots are useful when an audit trail is required.

The IS auditor should consider the following significant factors when working with the snapshot technique:

  • The location at which snapshots are captured
  • The time at which snapshots are captured
  • The manner in which the snapshot data is reported

Audit Hook

An audit hook is a tool used in auditing to help detect and report unusual or suspicious activities in a system in real time. It acts like a trigger that alerts auditors or security personnel when certain predefined conditions are met, allowing for quick investigation and response.

Audit hooks are embedded in an application system to capture exceptions. The auditor can set different criteria to capture exceptions or suspicious transactions. For example, to closely monitor cash transactions, an auditor can set criteria to capture cash transactions exceeding $10,000. All these transactions can then be reviewed by the auditor to identify fraud, if any.

Audit hooks are helpful in the early identification of irregularities, such as fraud or errors. They are generally applied when only selected transactions need to be evaluated.

Continuous and Intermittent Simulation

Continuous and intermittent simulation (CIS) replicates or simulates the processing of the application system. In this technique, a simulator identifies transactions as per the predefined parameters. Identified transactions are then audited for further verification and review. CIS compares its own results with the results produced by application systems. If any discrepancies are noted, they are written to the exception log file. CIS is useful for identifying the transactions as per predefined criteria in a complex environment.

The following table summarizes the features of continuous audit tools:

Audit Tool

Usage

SCARF/embedded audit module (EAM)

This is useful when regular processing cannot be interrupted

Snapshots

Pictures or snapshots are used when an audit trail is required

Audit hooks

When early detection of fraud or an error is required

ITF

Test data is used in a production environment

CIS

CIS is useful for the identification of transactions as per predefined criteria in a complex environment

Table 2.12: Types of continuous audit tools and their features

Key Aspects for the CISA Exam

The following table covers important aspects from the CISA exam perspective:

Questions

Possible Answers

What is the first step of conducting data analytics?

The first step is determining the objective and scope of analytics

Which is the most effective online audit technique when an audit trail is required?

The snapshot technique

What is the advantage of an ITF?

Setting up a separate test environment/test process is not required. An ITF helps validate the accuracy of the system processing.

Which is the most effective online audit technique when the objective is to identify transactions as per predefined criteria?

CIS is most useful for identifying transactions as per predefined criteria in a complex environment

Table 2.13: Key aspects for the CISA exam

An IS auditor should be aware of the methods and procedures through which analysis and findings are reported to the audit committee and senior management. Effectively reporting audit findings and communicating the findings to all the stakeholders are very important parts of audit execution; these are covered in more detail in the next section.

You have been reading a chapter from
CISA – Certified Information Systems Auditor Study Guide - Third Edition
Published in: Oct 2024
Publisher: Packt
ISBN-13: 9781835882863
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image