transaction processing is a viable way to validate that the process works as
designed. When auditing a transaction process, this technique serves to
ensure that the controls are working as they are designed to do. A variation
on reperformance is to introduce a known error into the process and to see
if the controls actions and results are as expected. Other such testing tech-
niques will be examined later when we discuss test work in more detail.
Monitoring
Monitoring is the ongoing input of evidence for a time period sufficient in
length to meet the needs of the audit objective. Sometimes obtaining direct
evidence is not possible and observing a particular time period of a process
is not sufficient to ensure that the controls are working properly. Thus, an
audit step must be designed to monitor a process or transaction flow over
a period of time to ensure that controls are working properly. This is espe-
cially the case when many smaller processes or transactions are involved.
Test Work
Test work is shown the sections of the fieldwork that formally step through
a test designed to determine whether the controls are working. Testing is a
basic building block of fieldwork. It is a scientific process that involves
understanding a process and the expected results—whether they are con-
trol related or actual computational results—and performing the work to
see if the results support the hypothesis. Because reperformance and the
testing of large amounts of transactions or data is usually prohibitive, some
kind of population sampling is usually performed in a sufficient quality
and quantity to extrapolate the results of the testing into a reliable conclu-
sion for the entire population of items.
Substantive Testing
This type of testing is used to substantiate the integrity of the actual pro-
cessing. It is used to ensure that processes, not controls, are working as
designed and give reliable results.
Compliance Testing
A compliance test determines if controls are working as designed. As poli-

■■
Extraction of the subsets of data
■■
Linkage of data for analysis
■■
Identification of duplicate transactions
■■
Audit trail analysis
CAATs may require a more invasive approach to auditing and will
require close communication and agreement with the auditee. Data file
copies may need to be exported off line in order not to interrupt the pro-
duction use of the data. In addition, strict controls will need to be placed on
the extracted data to establish and maintain its integrity. If technical staff is
involved with developing and performing tests related to the use of
CAATs, due care related to the integrity of the data and additional controls
over the audit testing processes may need to be considered.
Additional steps to ensure that source code and object code match and
that file and data definitions are available may be appropriate in planning
and executing CAAT-based reviews. Changes caused by the interaction of
The Information System Audit Process 43
the production system and the CAAT tools to both the production envi-
ronment and the CAAT tools need to be fully understood before reliance
on the technique can be made and before risks to the production environ-
ment are introduced. Full description of the CAATS processes and
input/output should be documented in the work papers.
Management Control Reports
Reports used by management to ensure that the controls are working or to
be used as detective controls for identifying when errors occurred are often
gathered through a sampling and are evidenced in the fieldwork. Manage-
ment reports are gathered to confirm statistical or performance data and to

total of items to choose from and about which information is desired.
Confidence Interval. A range of values that defines the upper and
lower limits between which the actual population is believed to lay
compared to the sample statistic. For example, if the results of a 95
percent confidence level sample produces a confidence interval
between 200 and 300, and the auditor were to repeatedly pull sam-
ples of the same size and calculate a confidence level of 95 percent,
then 95 percent of the intervals would encompass the actual popula-
tion value.
Confidence Level or Degree of Assurance. The probability that the
results of a sample are reasonable results related to the population as
a whole. It is an estimate of the degree of certainty that a population
average will be within the precision level selected. Confidence levels
are usually expressed as a percentage. A 95 percent confidence level
means that if a repeated sampling was conducted, the actual value
would fall within the confidence interval about 95 percent of the
time.
Standard Deviation. The degree to which individual values in a list
vary from the mean (average) of all values in the list. The lower the
standard deviation, the less individual items vary from the mean and
the more reliable the mean.
Precision. The range or tolerance estimated that the population
would be represented at the confidence level. For example, if there is
a 95 percent confidence that the average value is X, then there is a 5
percent risk that the average number is greater than X and a 5 per-
cent risk that the average number is less than X.
Probability. The ratio of the frequency of certain events to the fre-
quency of all possible events in a series, usually expressed as a per-
centage of all events in the series.
The Information System Audit Process 45

population is misrepresented by the sample, and 2) the conclusion
results in an incorrect rejection of the test of the sample when testing
the entire population would have resulted in an acceptable outcome.
The auditor should use a sampling method that is representative of the
population relative to the characteristic for which the population is being
tested. Stratification, a process of subdividing the larger population into
smaller ones with common attributes, may be considered as a way to nar-
row the population and to increase the confidence of the testing, depend-
ing on the audit objective for which the test is designed. The larger the
sample sizes, the less error that can be expected; however, some amount of
46 Chapter 1
error must be expected when applying a sampling technique of any kind.
The auditor should consider whether the expected error rate will exceed
the tolerable error rate when determining what to sample and what size
sample is sufficient. Sampling procedures and determinations used in
defining the sample method must be properly documented in the work
papers in order for the samples and overall conclusion to be defendable. In
determining these methods and processes, care must be exercised to show
that bias has been avoided and that sample size is sufficient.
Preparing Exhibits
Exhibits should be included in a section of the work paper and organized
so that references can be easily made to the audit program. An indexing
scheme calls out or indexes an exhibit based on the exhibit’s location in the
work papers where it was first referenced. This helps to logically order the
exhibits in a sequential order. For example, if audit Step 3 is the first time
an exhibit of a certain report is used in the audit work, it might be labeled
“EX-3-1” for the first exhibit in audit Step 3. Subsequent references to the
exhibit then will continue to use this number as an exhibit identifier. It is
helpful in large or frequently performed audits to also note additional
information in the labeling of the audit exhibit, such as the auditor who

to avoid embarrassment and risking the loss of confidence in the audit
team. Reporting irregularities needs careful consideration because of the
potential for further abuse from identified weaknesses, loss of customer
confidence, company reputation damage, and the affect on employees not
directly involved with the irregularity. External reporting of illegal acts
may be a legal or regulatory obligation. Approval for this kind of reporting
should be sought from audit management and the appropriate level of
management prior to proceeding. The majority of the routine concerns can
be raised in the ongoing and periodic status communications between the
auditor and management. Even if satisfactorily corrected and addressed,
these weaknesses and related findings should be reported as part of the
audit. When audits are performed to place reliance over a period of time, a
determination must be made as to when the weakness existed in compari-
son to the effective time period the audit is covering.
Conclusions
An important aspect of all testing and fieldwork is to draw a conclusion
based on the evidence reviewed. This can be a difficult part of the audit for
an inexperienced auditor. The conclusion is the actual value that comes out
of the audit process, without which there is no reason to audit. It is the step
most agonized over by auditors, because it is where their opinion and pro-
fessional training is ultimately put to the test. The CISA candidate must be
familiar with the process of determining, from the evidence presented and
tests performed, what their professional opinion is about the sufficiency of
the controls relevant to the risk culture of the management and the materi-
ality of the particular finding. Even when there are no findings of weakness,
48 Chapter 1
or especially when there is no weakness found, the auditor must clearly
state this finding when writing their concluding opinion about the test or
fieldwork before they are done with the audit program step. When weak-
nesses are noted, some planning will help position the weaknesses to help

and the weaknesses identified into reportable findings. Now you are pre-
pared to draft the findings into a reportable format.
The Information System Audit Process 49
Reportable findings contain five specific parts in their presentation
format:
What is the condition that was found? State the situation in clear
nonjargon language.
What should be the state of the condition? What would you expect
to see in a well-controlled situation?
Why is the auditee at risk? Why is this important?
What is the significance of the condition? What is the potential
downside impact of the condition to the auditee if not addressed?
Recommendation. What do you propose that might better mitigate
the risk exposure identified by this finding?
Your finding should take this format in its final form, but before you
make any recommendations you will need to do some root cause analysis
to make your recommendations value added.
Root Cause Analysis
Root case analysis is a process performed on the weakness findings to
answer the question: Why? Before you make a value added recommenda-
tion, you must understand what the root issues are and what the symp-
toms are. Correcting a symptom will not solve the weakness effectively
and result in a long-term solution. Often, you must peel back through sev-
eral layers of cause and effect scenarios to get to the real cause of the weak-
ness or deficiency. Generally, control weaknesses are symptoms and a
collection of them will help you identify the root cause.
Another popular method to get to a root cause is to start with a symptom
and ask why three to five times to get to the real cause that needs to be
addressed in order to change the identified symptomatic outcome. This
exercise may lead to root causes that are outside either the control of the

manager to ensure that all of the work performed reasonably meets the rea-
sonably competent third party test. Work paper comments and concerns
related to unclear procedures or conclusions or related to the sufficiency of
the evidence should be documented and discussed with the auditor per-
forming the work. These review comments should be presented and
cleared in a manner that will not remain part of the permanent work paper
files. Notation of the presentation and subsequent clearing of the review
comments should be recorded in the chronological log without recording
the substance of the comments discussed. After having reviewed the work
and satisfactorily addressed and cleared all of review comments, the
reviewer’s should initial the work to provide the assurance necessary to
achieve a reliable audit result.
The Information System Audit Process 51
Peer Review
Peer review of audit work is an excellent way to benchmark your audit work
with other auditors and audit teams. By using this technique consistently,
improvements can be achieved as methods are challenged and procedures
improved upon. A peer review of the audit work also is a good way of estab-
lishing common ground and relationships with external and internal auditor
pairings. Joint audits between internal and external audit teams also serve
this purpose well.
Communicating Audit Results
and Facilitating Change
The audit report plays a unique and influential role in communicating with
auditee management. These reports are what the client management pays
for when funding an audit. The purpose of an audit report is to inform,
persuade, and get results. Readers expect a direct, straightforward, and
factual presentation of the results of the audit. Brief statements should be
used to encapsulate key ideas and to summarize supporting data. The
reports should be issued in a timely manner so they are relevant and use-

findings, either by their root causes or by those with a common solution,
should be considered.
Overall conclusions should be drawn and the key supporting points
should be identified and rephrased to cohesively present the overall
conclusion.
Report Layout
Audit reports should contain the following:
1. Report title (organization and/or area audited)
2. Recipients of the report
3. Date the report was issued—effective period covered by the audit
and preparing auditor(s)
4. Scope
5. Objectives of the engagement
6. Coverage period
7. Brief description of work performed
8. Background information
9. Overall audit conclusion
10. Findings, recommendations, and responses listed from the highest
material risk to the lowest material risk
The report should initially describe the scope and objectives of the audit
and provide information about whether the audit objectives were satisfac-
torily met. Legal or regulatory requirements related to this audit also
The Information System Audit Process 53
should be defined in this report when laying out the scope and objectives
of the audit. After describing the scope, objectives, and effective time frame
of the audit engagement, a description of the work performed helps to rep-
resent to the reader what was done to reach the conclusions made in this
report. This does not require a detailed explanation of the entire body of
the test work, just an overview of what was tested, the systems and audit
areas covered in the audit, and the kinds of testing techniques and method-

ent audience than the one you have been dealing with during the audit up
to this point. This audience does not necessarily understand a lot of techni-
cal jargon and detailed control analysis lingo. They want to see full sub-
ject/verb/object sentences that have been spell checked (no kidding). If
you do not want to turn them off, you will need to reread your report sev-
eral times, taking a hard look at eliminating negative language out of your
report. Rephrasing problems as challenges is the kind of changes you need
to make to produce a receptive nondefensive response to your report. A
trick I was taught is to do a find on every instance of the characters n and o
together in the report. Look for ways to turn the sentence around. Instead
of talking about what was not being done, report what needs to be done to
better control the process. It seems simple, but it really works.
All findings of a material nature should be included in the report. The
auditor will have to exercise their professional judgment on what is mate-
rial and should therefore be included as a reportable item.
Responses
Preliminary drafts of the report may be created for response and validation
of findings prior to final issuance of the report. You may need to help guide
the management in crafting their responses to meet the needs of this new
audience as well. Senior management does not want to hear about excuses
and rationalizations as to why things are the way they are. A weakness has
been identified and they are uncomfortable. The responses from their
departmental staff need to be clear, forthright, and actionable, and have
deadlines associated with them that seem reasonable given the materiality
of the situation and the complexity of the solution. Suggested changes to
departmental responses can help move the process to a positive actionable
conclusion when possible. I often send reminders when seeking the
response to management stating:
Your responses should include
■■

56 Chapter 1
Sample Questions
The following questions and answers are a sample of what the CISA exam
content might look like on the subject matter covered in this chapter. The
format, style, and layout of the question and answer choices should give
you a better understanding of the exam question format. In addition, it
should enable you to become comfortable with the multiple choice style,
where the best answer must be chosen from a set of four answers, some of
which also may be technically correct. Answers are provided with expla-
nations on the right and wrong answers in Appendix A, which will help
you understand the intent of the question and the correct response.
1. When planning an IS audit, which of the following factors is least
likely to be relevant to the scope of the engagement?
A. The concerns of management for ensuring that controls are suffi-
cient and working properly
B. The amount of controls currently in place
C. The type of business, management culture, and risk tolerance
D. The complexity of the technology used by the business in per-
forming the business functions
2. Which of the following best describes how a CISA should treat guid-
ance from the IS audit standards?
A. IS audit standards are to be treated as guidelines for building
binding audit work when applicable.
B. A CISA should provide input to the audit process when defend-
able audit work is required.
C. IS audit standards are mandatory requirements, unless justifica-
tion exists for deviating from the standards.
D. IS audit standards are necessary only when regulatory or legal
requirements dictate that they must be applied.
The Information System Audit Process 57

controls
D. Residual risk being higher than the insurance coverage
purchased
58 Chapter 1
7. Which of the following is not a definition of a risk type?
A. The susceptibility of a business to make an error that is material
where no controls are in place
B. The risk that the controls will not prevent, detect, or correct a risk
on a timely basis
C. The risk that the auditors who are testing procedures will not
detect an error that could be material
D. The risk that the materiality of the finding will not affect the out-
come of the audit report
8. What part of the audited businesses background is least likely to be
relevant when assessing risk and planning an IS audit?
A. A mature technology set in place to perform the business pro-
cessing functions
B. The management structure and culture and their relative depth
and knowledge of the business processes
C. The type of business and the appropriate model of transaction
processing typically used in this type of business
D. The company’s reputation for customer satisfaction and the
amount of booked business in the processing cue
9. Which statement best describes the difference between a detective
control and a corrective control?
A. Neither control stops errors from occurring. One control type is
applied sooner than the other.
B. One control is used to keep errors from resulting in loss, and the
other is used to warn of danger.
C. One is used as a reasonableness check, and the other is used to

exist that exceed that tolerance.
13. What is the correct formula for annual loss expectancy?
A. Total actual direct losses divided by the number of years it has
been experienced
B. Indirect and direct potential loss cost times the number of times it
might possibly occur
C. Direct and indirect loss cost estimates times the number of times
the loss may occur in a year
D. The overall value of the risk exposure times the probability
for all assets divided by the number of years the asset is
held
14. When an audit finding is considered material, it means that
A. In terms of all possible risk and management risk tolerance, this
finding is significant.
B. It has actual substance in terms of hard assets.
60 Chapter 1
C. It is important to the audit in terms of the audit objectives and
findings related to them.
D. Management cares about this kind of finding so it needs to be
reported regardless of the risk.
15. Which of the following is not considered an irregularity or illegal
act?
A. Recording transactions that did not happen
B. Misusing assets
C. Omitting the effects of fraudulent transactions
D. None of the above
16. When identifying the potential for irregularities, the auditor should
consider
A. If a vacation policy exists that requires fixed periods of vacation
to be mandatory

department
C. To explain the code of ethics used by the auditor
D. To provide a clear mandate to perform the audit function in
terms of authority and responsibilities
21. In order to meet the requirements of audit, evidence sampling must
be
A. Of a 95 percent or higher confidence level, based on repeated
pulls of similar sample sizes
B. Sufficient, reliable, relevant, and useful, and supported by the
appropriate analysis
C. Within two standard deviations of the mean for the entire popu-
lation of the data
D. A random selection of the population in which every item has an
equal chance of being selected
22. Audit evidence can take many forms. When determining the types
required for an audit, the auditor must consider
A. CAATs, flowcharts, and narratives
B. Interviews, observations, and reperformance testing
C. The best evidence available that is consistent with the importance
of the audit objectives
D. Inspection, confirmation, and substantive testing
62 Chapter 1
23. The primary thing to consider when planning for the use of CAATs
in an audit program is
A. Whether the sampling error will be at an unacceptable level
B. Whether you can trust the programmer who developed the tools
of the CAATs
C. Whether the source and object codes of the programs of the
CAATs match
D. The extent of the invasive access necessary to the production

supervisor.
D. Ensure that all of the audits are consistent in style and technique.
64 Chapter 1
65
Now that you have a solid foundation in the audit process itself, the approach
to the subsequent chapters will differ slightly from the first. The rest of the
material in this book is about what to audit not how to do it. It will be assumed
that you understand how to identify risks and build an audit plan from the
information provided. Testing tips will be provided, in some cases, but
mostly there will be a description of what the key issues are and what should
be in place. This can be used as a reference against what you find (what is)
when evaluating these processes in a business setting. The intent here is to
impart knowledge about the practices themselves with the understanding
that what is determined to be material and which findings are significant
will be the result of your risk assessment and management communication
processes. Once you have an understanding of the expected processes and
what should be found in practice, you then will be able to build an audit pro-
gram that looks for the related control weaknesses in support of your partic-
ular audit objectives. The audit objectives may be pointed out as we go along
but in most cases, the objective will be to ensure that these processes are in
place, working efficiently, and designed to meet the tactical and strategic
needs of the business. Keywords to look for are needs to be, should be, is respon-
sible, and are required in some form.
Management, Planning,
and Organization of
Information Systems
C H A P T E R
2
This domain chapter covers auditing of the pervasive audit controls and
control objective areas related to strategy, policy, procedures, standards,

in a documented form. You may investigate annual reports for such infor-
mation or find it on Web pages or corporate literature. Validating these
goals with the senior management is useful in establishing their applica-
bility to the IS organization and the interpretations individual manage-
ment members may have of the overall mission of the company. This could
help you identify areas of focus for your audit.
Your goal will be to evaluate the IS strategy and direction and how well
it is being managed. Seek documentation of the mission of the IS organiza-
tion. Evaluate how it supports the business needs and mission. Look at
66 Chapter 2