Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
CISA – Certified Information Systems Auditor Study Guide

You're reading from   CISA – Certified Information Systems Auditor Study Guide Achieve CISA certification with practical examples and over 850 exam-oriented practice questions

Arrow left icon
Product type Paperback
Published in Jun 2023
Publisher Packt
ISBN-13 9781803248158
Length 330 pages
Edition 2nd Edition
Arrow right icon
Author (1):
Arrow left icon
Hemang Doshi Hemang Doshi
Author Profile Icon Hemang Doshi
Hemang Doshi
Arrow right icon
View More author details
Toc

Table of Contents (14) Chapters Close

Preface 1. Chapter 1: Audit Planning 2. Chapter 2: Audit Execution FREE CHAPTER 3. Chapter 3: IT Governance 4. Chapter 4: IT Management 5. Chapter 5: Information Systems Acquisition and Development 6. Chapter 6: Information Systems Implementation 7. Chapter 7: Information Systems Operations 8. Chapter 8: Business Resilience 9. Chapter 9: Information Asset Security and Control 10. Chapter 10: Network Security and Control 11. Chapter 11: Public Key Cryptography and Other Emerging Technologies 12. Chapter 12: Security Event Management 13. Other Books You May Enjoy

Data Analytics

Data Analytics (DA) is the method of examining data or information. It helps you to understand the data by transforming raw data into usable and meaningful information.

Examples of the Effective Use of Data Analytics

The following are some examples of the use of DA:

  • To determine whether a user is authorized by combining logical access files with the human resource employee database
  • To determine whether events are authorized by combining the file library settings with change management system data and the date of file changes
  • To identify tailgating by combining input with output records
  • To review system configuration settings
  • To review logs for unauthorized access

CAATs

CAATs are extremely useful to IS auditors for gathering and analyzing large and complex data during an IS audit. CAATs help an IS auditor collect evidence from different hardware, software environments, and data formats.

The following table presents a breakdown of the functions of CAAT tools:

CAAT Tools

Functions

General Audit Software

This is a standard type of software that is used to read and access data directly from various database platforms.

Utility and Scanning Software

This helps in generating reports of the database management system.

It scans all the vulnerabilities in the system.

Debugging

This helps in identifying and removing errors from computer hardware or software.

Test Data

This is used to test processing logic, computations, and controls programmed in computer applications.

Table 2.10: Breakdown of CAAT functions

A CAAT helps an IS auditor collect information independently. Information obtained through CAATs is considered more reliable.

Examples of the Effective Use of CAAT Tools

The following are some examples of use cases for CAAT tools:

  • To determine the accuracy of transactions and balances
  • For detailed analysis
  • To ascertain compliance with IS general controls
  • To ascertain compliance with IS application controls
  • To assess network and operating system controls
  • For vulnerability and penetration testing
  • For the security scanning of source code and AppSec testing

Precautions while Using CAAT

An auditor should be aware of the following precautions when using CAAT tools:

  • Ensure the integrity of imported data by safeguarding its authenticity, integrity, and confidentiality
  • Obtain approval for installing the CAAT software on the auditee servers
  • Obtain only read-only access when using CAATs on production data
  • Edits/modifications should be applied to duplicate data and the integrity of the original data should be ensured

Continuous Auditing and Monitoring

A CISA candidate should understand the difference between continuous auditing and continuous monitoring:

Continuous Auditing

Continuous Monitoring

In continuous auditing, an audit is conducted in a real-time or near-real-time environment. In continuous auditing, the gap between operations and an audit is much shorter than under a traditional audit approach.

In continuous monitoring, the relevant process of a system is observed on a continuous basis.

For example, high payouts are audited immediately after a payment is made.

For example, antivirus or IDSs may continuously monitor a system or a network for abnormalities.

Table 2.11: Differences between continuous auditing and continuous monitoring

Continuous auditing and continuous monitoring are mutually exclusive. Continuous assurance can be ensured if both continuous monitoring and continuous auditing are in place. Generally, the results of continuous auditing are the precursor for the introduction of a continuous monitoring process.

Continuous Auditing Techniques

For IS audits, continuous audit techniques are extremely important tools. The following are the five widely used continuous audit tools.

Integrated Test Facility

The following are the features of an Integrated Test Facility (ITF).

In an ITF, a fictitious entity is created in the production environment:

  • The auditor may enter test or dummy transactions and check the processing and results of these transactions for correctness.
  • Processed results and expected results are evaluated to check the proper functioning of systems.
  • For example, with the ITF technique, a test transaction is entered. The processing results of the test transaction are compared with the expected results to determine the accuracy of processing. If the processed results match the expected results, then it determines that the processing is correct. Once the verification is complete, test data is deleted from the system.

System Control Audit Review File

The following are the features of a System Control Audit Review File (SCARF):

  • In this technique, an audit module is embedded (inbuilt) into the organization’s host application to track transactions on an ongoing basis.
  • A SCARF is used to obtain data or information for audit purposes.
  • SCARFs record transactions above a specified limit or deviation-/exception-related transactions. These transactions are then reviewed by the auditor.
  • SCARFs are useful when regular processing cannot be interrupted.

Snapshot Technique

The following are the features of the snapshot technique:

  • This technique captures snapshots or pictures of the transaction as it is processed at different stages in the system.
  • Details are captured both before and after the execution of the transaction. The correctness of the transaction is verified by validating the before-processing and after-processing snapshots of the transactions.
  • Snapshots are useful when an audit trail is required.
  • The IS auditor should consider the following significant factors when working with this technique:
    • At what location snapshots are captured
    • At what time snapshots are captured
    • How the reporting of snapshot data is done

Audit Hook

The following are the features of an audit hook:

  • Audit hooks are embedded in the application system to capture exceptions.
  • The auditor can set different criteria to capture exceptions or suspicious transactions.
  • For example, with the close monitoring of cash transactions, the auditor can set criteria to capture cash transactions exceeding $10,000. All these transactions are then reviewed by the auditor to identify fraud, if any.
  • Audit hooks are helpful in the early identification of irregularities, such as fraud or error.
  • Audit hooks are generally applied when only selected transactions need to be evaluated.

Continuous and Intermittent Simulation

The following are the features of Continuous and Intermittent Simulation (CIS):

  • CIS replicates or simulates the processing of the application system.
  • In this technique, a simulator identifies transactions as per the predefined parameters. Identified transactions are then audited for further verification and review.
  • CIS compares its own results with the results produced by application systems. If any discrepancies are noted, it is written to the exception log file.
  • CIS is useful to identify the transactions as per the predefined criteria in a complex environment.

The following table summarizes the features of continuous audit tools:

Audit Tool

Usage

SCARF/EAM

This is useful when regular processing cannot be interrupted.

Snapshots

Pictures or snapshots are used when an audit trail is required.

Audit hooks

When early detection of fraud or error is required.

ITF

Test data is used in a production environment

CIS

CIS is useful for the identification of transactions as per predefined criteria in a complex environment.

Table 2.12: Types of continuous audit tools and their features

An IS auditor should be aware of the methods and procedures through which analysis and findings are reported to the audit committee and senior management. The effective reporting of audit findings and communicating the findings to all the stakeholders are very important parts of audit execution; these are covered in more detail in the next section.

Key Aspects from the CISA Exam Perspective

The following table covers important aspects from the CISA exam perspective:

CISA Questions

Possible Answers

What is the first step of conducting data analytics?

The first step will be determining the objective and scope of analytics.

Which is the most effective online audit technique when an audit trail is required?

The snapshot technique.

What is the advantage of an Integrated Test Facility (ITF)?

Setting up a separate test environment/test process is not required.

An ITF helps validate the accuracy of the system processing.

Which is the most effective online audit technique when the objective is to identify transactions as per predefined criteria?

CIS is most useful to identify transactions as per predefined criteria in a complex environment.

Table 2.13: Key aspects from the CISA exam perspective

You have been reading a chapter from
CISA – Certified Information Systems Auditor Study Guide - Second Edition
Published in: Jun 2023
Publisher: Packt
ISBN-13: 9781803248158
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image