Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
CISA – Certified Information Systems Auditor Study Guide

You're reading from   CISA – Certified Information Systems Auditor Study Guide Ace the CISA exam with practical examples and over 1000 exam-oriented practice questions

Arrow left icon
Product type Paperback
Published in Oct 2024
Publisher Packt
ISBN-13 9781835882863
Length 356 pages
Edition 3rd Edition
Arrow right icon
Author (1):
Arrow left icon
Hemang Doshi Hemang Doshi
Author Profile Icon Hemang Doshi
Hemang Doshi
Arrow right icon
View More author details
Toc

Table of Contents (15) Chapters Close

Preface 1. Chapter 1: Audit Planning 2. Chapter 2: Audit Execution FREE CHAPTER 3. Chapter 3: IT Governance 4. Chapter 4: IT Management 5. Chapter 5: Information Systems Acquisition and Development 6. Chapter 6: Information Systems Implementation 7. Chapter 7: Information Systems Operations 8. Chapter 8: Business Resilience 9. Chapter 9: Information Asset Security and Control 10. Chapter 10: Network Security and Control 11. Chapter 11: Public Key Cryptography and Other Emerging Technologies 12. Chapter 12: Security Event Management 13. Chapter 13: Accessing the Online Practice Resources 14. Other Books You May Enjoy

Audit Evidence Collection Techniques

Auditing is a process of providing an opinion (in the form of a written audit report) about the functions or processes under the scope of an audit. This audit opinion is based on the evidence obtained during the audit. Audit evidence is critical in the audit as audit opinions are based on reliability, competence, and objectivity. The objective and scope of an audit are the most significant factors when determining the data requirements.

Reliability of Evidence

An IS auditor should consider the sufficiency, competency, and reliability of the audit evidence. Evidence can be considered competent when it is valid and relevant. The following factors determine the reliability of audit evidence.

Independence of the Evidence Provider

The source of the evidence determines the reliability of the evidence. External evidence (obtained from a source outside the organization) is more reliable than evidence obtained from within the organization. A signed agreement with external parties is considered more reliable than an oral agreement.

Qualifications of the Evidence Provider

The qualifications and experience of the evidence provider are major factors when determining the reliability of audit evidence. Information gathered from someone without the relevant qualifications or experience may not be reliable.

Objectivity of the Evidence

Evidence based on judgment (involving subjectivity) is less reliable than objective evidence. Objective audit evidence does not have the scope for different interpretations.

Timing of the Evidence

Audit evidence that is dynamic in nature (such as logs, files, and documents that are updated frequently) should be considered based on the relevant timing.

Figure 2.1 highlights the evidence-related guidelines:

Figure 2.1: Evidence-related guidelines

Figure 2.1: Evidence-related guidelines

The guidelines discussed for the reliability of evidence are very important from a CISA exam perspective. An IS auditor should also be aware of the best practices and techniques to gather evidence. These are discussed in the next section.

Evidence-Gathering Techniques

The following techniques are used by IS auditors to gather evidence during the audit process:

Factors

Descriptions

Review the organization’s structure

The IS auditor should review the organization’s structure and governance model. This will help the auditor determine the control environment of the enterprise.

Review IS policies, processes, and standards

The audit team should review the IS policies, procedures, and standards and determine the effectiveness of the controls implemented. The audit team should also determine whether IS policies and procedures are reviewed periodically and approved by a competent authority.

Observations

The IS auditor should observe the processes being audited to determine the following:

  • The skill and experience of the staff
  • The security awareness of the staff
  • The existence of segregation of duties (SoD)

Interview technique

The IS auditor should have the skill and competency to conduct interviews tactfully. Interview questions should be designed in advance to ensure that all topics are covered.

To the greatest extent possible, interview questions should be open-ended to gain insight into the process. The staff being interviewed should be made comfortable and encouraged to share information and areas of concern.

Re-performance

In re-performance, the IS auditor performs the activity that was originally performed by the staff of the organization.

Re-performance provides better evidence than other techniques. It should be used when other methods do not provide sufficient assurance about control effectiveness.

Process walk-through

A process walk-through is done by the auditor to confirm the understanding of the policies and processes.

In a process walk-through, each step of the process being audited is observed, with discussion around how the process is executed, who is responsible for the process, and how all tasks are performed.

Table 2.8: Evidence-gathering factors and their descriptions

The evaluation of evidence is a subjective matter, and the auditor needs the relevant skills, experience, and qualifications to judge the relevance, sufficiency, and appropriateness of the audit evidence. In the case of inconclusive evidence, it is recommended to perform an additional test to confirm the accuracy of the audit findings.

Evidence should be evaluated based on the business environment and the complexity of the business processes. The following are some general guidelines for evidence evaluation:

  • In the case of unavailability of evidence, the auditor should report the relevant risk in the audit report.
  • Evidence obtained from a relevant third party is considered more reliable compared to internal evidence. An audit report by a qualified auditor is considered more reliable than a confirmation letter received from a third party.
  • Evidence collected by the audit team directly from the source is considered more reliable compared to evidence provided by business units.
  • Computer-assisted audit techniques (CAATs) are the most effective auditing tools for computerized environments. The use of a CAAT ensures the reliability of audit evidence as data is directly collected, processed, and analyzed by the IS auditor.

Fraud, Irregularities, and Illegal Acts

While evaluating the evidence, it must be noted that the implementation of internal controls does not necessarily eliminate fraud. An IS auditor should be aware of the possibilities, circumstances, and opportunities that can lead to fraud and other irregularities. The IS auditor should observe and exercise due professional care to ensure that internal controls are appropriate, effective, and efficient to prevent or detect fraud, irregularities, and illegal acts.

In the case of suspicious activity, the IS auditor may communicate the need for a detailed investigation. In the case of a major fraud being identified, audit management should consider reporting it to the audit committee board.

Key Aspects for the CISA Exam

The following table covers important aspects from the CISA exam perspective:

Questions

Possible Answers

What does the extent of the data requirements for the audit depend on?

The objective and scope of the audit

What should audit findings be supported by?

Sufficient and appropriate audit evidence

What is the most important reason to obtain sufficient audit evidence?

To provide a reasonable basis for drawing conclusions

What is the most effective tool for obtaining audit evidence through digital data?

Computer-assisted auditing techniques

What is the most important advantage of using CAATs for gathering audit evidence?

CAATs provide assurance about the reliability of the evidence collected

What type of evidence is considered most reliable?

Evidence directly collected from the source by an IS auditor is considered to be the most reliable. The source of evidence should be independent.

What is the primary reason for a functional walk-through?

To understand the business process

Table 2.9: Key aspects for the CISA exam

Gathering reliable audit evidence is important for forming an auditor’s opinion. Traditional methods can be slow and might miss important details, which can impact audit results. Data analytics (DA) changes this by allowing auditors to quickly analyze large amounts of data, improving accuracy and uncovering insights. It helps auditors find risks and unusual patterns more effectively. In the next section, we’ll explore how data analytics enhances modern auditing and makes it more efficient.

You have been reading a chapter from
CISA – Certified Information Systems Auditor Study Guide - Third Edition
Published in: Oct 2024
Publisher: Packt
ISBN-13: 9781835882863
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image