CISA__Preparing_for_the_Exam-_Domain1_Part_2.pdf

Transcript

1. Domain 1: Information System Auditing Process CISA Exam Preparation Series

   © Alison Wickens | Management System Insights CISA Series 2026 Not affiliated with ISACA. Redistribution or commercial use prohibited

2. The Series Part 1 – Introduction & Overview Part 2

   – Domain 1: Information System Auditing Process Part 3 – Domain 2: Governance and Management of IT Part 4 – Domain 3: Information Systems Acquisition, Development, and Implementation Part 5 – Domain 4: Operations and Business Resilience Part 6 – Domain 5: Protection of Information Assets Part 7 – Exam Practice & Revision Covers all 5 CISA domains in a structured learning journey

3. ISACA Resources & Downloadable Materials Recommended: Use official materials to

   align with exam expectations Official ISACA resources to support your CISA preparation: CISA Review Manual CISA Questions, Answers & Explanations (QAE Database) CISA Exam Candidate Guide IT Assurance Framework (ITAF) Certification & exam-registration information Available on the ISACA website

4. What This Domain Covers Audit planning Audit execution Evidence collection

   Reporting Quality & improvement

5. Audit Standards, Guidelines & Code of Ethics Purpose •Provide a

   structured framework for IS auditing, ensuring audits are consistent, objective, ethical, and high quality ISACA IS Audit & Assurance Standards •Mandatory requirements for auditors •Define what must be done •Cover: •Independence •Professional competence •Planning and execution •Reporting •Basis for audit credibility and reliability IS Audit & Assurance Guidelines •Provide practical guidance on how to apply standards •Support auditors with: •Audit procedures •Techniques and approaches •Control evaluation methods •Flexible — used based on context ISACA Code of Professional Ethics •Defines expected ethical behaviour of auditors •Key principles: •Integrity •Objectivity •Confidentiality •Professional competence •Ensures trust and professionalism

6. Business Processes & IS Audit Function •Ensure the IS audit

   function is properly structured, resourced, and aligned to business processes, enabling effective governance and risk assurance Purpose •IS Internal Audit Function •Independent assurance function •Evaluates controls, risk management, and governance •Must report at an appropriate level (e.g., Audit Committee) Core Areas •Defines: •Authority •Scope •Responsibilities •Approved by senior management / board •Foundation of audit independence Audit Charter •Resource planning and allocation •Skills and competency management •Quality assurance and improvement •Ensures audit effectiveness and capability Management of IS Audit Function •Risk-based audit plan •Annual audit schedule aligned to business risk •Individual audit assignments defined •Focus = highest risk areas first Audit Planning •Audit plans must consider: •Legal requirements •Regulatory obligations •Compliance risks •Example: POPIA, GDPR, financial regulations Laws & Regulations Impact •Audit must cover key systems such as: •E-commerce & digital platforms •Banking & payment systems (EFT, ATM, POS) •ERP / Finance systems •CRM & supply chain systems •Industrial / operational systems •AI and expert systems •Focus: controls embedded in business processes Business Process Applications & Controls •Reliance on: •External auditors •Specialists (e.g., cybersecurity, data analytics) •Auditor must evaluate competence and independence Use of Other Auditors / Experts •Independence is critical (reporting to board/audit committee) •Audit planning must be risk-based •Charter defines authority and scope •Business processes = primary audit targets CISA Exam Focus

7. Auditor Mindset Risk-based thinking Risk-based thinking Professional scepticism Professional scepticism

   Independence Independence Best answer mindset Best answer mindset

8. Audit Governance & Charter •Defines purpose, authority, responsibility •Approved by

   Board / Audit Committee •Grants right of access to systems, data, and people •Establishes independence Audit Charter •Audit must be independent of operations •Reports to Audit Committee / Board •Avoid conflicts of interest •Do not audit your own work Independence & Objectivity •Standardise audit approach •Include: •Methodology •Documentation standards •Reporting structure •Ensure consistency and quality Policies & Procedures •Driven by: •Risk assessment •Business priorities •Includes: •Annual audit plan •Resource allocation Aligns audit with organisational objectives Risk-Based Planning •Define: •Audit management •Audit team •Stakeholders •Ensure clear accountability & communication Roles & Responsibilities

9. ITAF Foundation Standards Standards Guidelines Guidelines Tools & Techniques Tools

   & Techniques Ensures consistency and quality Ensures consistency and quality

10. Audit Standards & Ethics Code of Ethics Independence Confidentiality Due

    care

11. Types of Audits Internal → Improvement & assurance External →Independent

    assurance Compliance → Adherence Operational → Effectiveness & efficiency Financial → Accuracy of reporting IT → Controls, security, and systems

12. Domain Structure (1A & 1B) 1A – Planning 1A –

    Planning 1B – Execution 1B – Execution

13. The Audit Lifecycle 1. Engagement & Initiation Objectives • Engagement

    letter • Stakeholders • Authority 2. Scope •Systems & processes • Boundaries • Audit criteria 3. Risk Assessment What can go wrong Business impact Focus areas 4. Audit Planning Audit approach Test plans Resources & schedule 5. Execution (Fieldwork) Walkthroughs Control testing Interviews 6. Evidence & Testing •Collect evidence • Sampling •Validate findings 7. Reporting •Findings •Risk impact •t Recommendations 8. Follow-up •Track actions • Validate fixes’ • Close findings 9. Continuous Improvement / QA •Lessons learned • QA reviews • Improve audits

14. Audit Risk Components •Understand how different types of risk combine

    to determine the overall audit risk and influence audit planning Purpose • Materiality = significance of an issue • Determines: • What gets reported • What gets tested • Not all findings are equal Example: Minor control gap → low materiality • Financial misstatement → high materiality Audit Risk & Materiality •Inherent Risk (IR) •Risk that exists before any controls •Driven by: •Complexity of systems •Volume of transactions •Sensitivity of data •Example: Online banking system = high inherent risk •Control Risk (CR) •Risk that controls fail to prevent or detect errors •Caused by: •Weak control design •Poor implementation •Lack of enforcement •Example: Users bypass access controls •Detection Risk (DR) •Risk that the auditor fails to detect an issue •Influenced by: •Audit procedures •Sampling methods •Auditor competence •Example: Auditor misses a control failure •Audit Risk (AR) •Overall risk that the audit conclusion is incorrect •𝐴𝑅 = 𝐼𝑅 × 𝐶𝑅 × 𝐷𝑅 •Key Insight •If Inherent Risk is high → more controls needed •If Control Risk is high → stronger audit testing required •If Detection Risk is high → audit approach must be improved Core Risk Types •High IR + High CR → Increase audit scope, testing, and evidence •Low IR + Strong controls → Reduce testing effort Audit Planning Impact •Auditor cannot change IR or CR •Auditor controls DR through testing •Goal: Reduce audit risk to acceptable level CISA Exam Focus

15. Risk-Based Planning Risk-based planning is about using risk to drive

    every audit decision: •What to audit •Where to focus •How deep to go •How often to audit •It shifts the audit from coverage- based to impact- based Identifying Risks (Not just listing them) •At a CISA level, this is not just a risk register review. •An auditor considers: •Business objectives (what must not fail) •Critical systems and processes •Regulatory requirements •Past incidents and audit findings •Known control weaknesses •External threats (cyber, vendors, changes) •You are asking: “Where would failure hurt the business most?” •Exam trap: Candidates often pick “review all areas equally” — this is wrong thinking Assessing & Prioritising Risk •Risk = Likelihood × Impact •But in audits, impact usually dominates. •High-risk areas typically include: •Financial systems •Customer data environments •Production / live systems •Privileged access •Change management •Prioritisation determines: •Audit scope •Sampling size •Depth of testing •Example: Payroll system → high impact → deep audit •Internal reporting tool → lower impact → lighter review Defining Audit Scope Based on Risk •This is where many people misunderstand the concept. •Risk-based planning means: •High-risk areas → included in scope •Low-risk areas → may be limited or excluded •Scope is not everything — it is risk-driven •Exam trap: If asked what to do when time is limited → Focus on high-risk areas Do not expand scope blindly Aligning with Business Objectives •Audits must support the organisation — not operate in isolation. •This means: •Understanding strategic goals •Aligning with IT governance •Supporting risk management priorities •Example: If a company is expanding digitally → Audit focus shifts to: •Cloud security •Data protection •Third-party risk Continuous & Dynamic Planning •Risk-based planning is not once-off. •It evolves based on: •New threats •System changes •Incidents •Business changes •Auditors must adjust plans dynamically •This is why: •Annual audit plans are risk- based •Internal audit functions continuously reassess priorities

16. Audit Project Management Purpose Ensure audits are planned, executed, documented,

    and reported effectively, delivering reliable and risk- focused assurance Core Areas Audit Objectives •Define what the audit aims to achieve •Must be: • Clear • Risk-based • Aligned to business objectives Drives audit scope and approach Audit Programs •Detailed plan of: • Audit procedures • Testing steps • Evidence required Ensures consistency and completeness Minimum Skills to Develop Audit Programs •Knowledge of: • IT systems and controls • Risk and control frameworks • Audit techniques and standards Auditor must have technical + audit expertise Audit Work Papers •Documentation of: • Procedures performed • Evidence collected • Conclusions reached Provides audit trail and supports findings Fraud, Irregularities & Illegal Acts •Auditor must: • Identify indicators (red flags) • Escalate appropriately • Maintain objectivity Auditor does not investigate fraud fully but ensures it is addressed CISA Exam Focus •Audit must follow a structured lifecycle •Work papers = critical evidence of audit quality •Audit programs guide testing and coverage • Auditor responsibility = identify, not investigate fraud

17. Audit Execution (Fieldwork) Walkthroughs (Understanding the process) Purpose: • Understand

    how the process actually works • Validate design of controls What you do: • Follow a transaction from start to end • Identify control points • Confirm process matches documentation Example: • Follow a user access request: • Request → Approval → Provisioning → Review CISA angle: Walkthrough = understanding BEFORE testing Control Testing (Core of execution) Two types: Design Effectiveness Does the control make sense? • Is it properly designed to mitigate risk? • Would it work if followed? Operating Effectiveness Is the control actually working? • Is it performed consistently? • Is it performed correctly? Key phrase (use this in your video): “A control can be perfectly designed — but still fail in practice.” Audit Techniques (How you test) You use multiple methods: Inspection • Review documents, logs, reports Observation • Watch the process being performed Reperformance • Redo the control yourself Inquiry • Ask staff (but never rely on this alone) CISA exam tip: Inquiry alone = weak evidence Interviews (Understanding reality) Purpose: • Validate understanding • Identify gaps between theory and practice What you look for: • Inconsistencies • Lack of awareness • Process deviations Exception Identification During execution you find: • Control failures • Deviations • Missing controls Then ask: • How often does this happen? • What is the impact? • Is it isolated or systemic? Documentation (Critical) If it’s not documented: It didn’t happen (from an audit perspective) You must: • Record procedures performed • Capture evidence • Link findings to evidence Common Execution Risks (Great slide content) • Incomplete testing • Poor sample selection • Over-reliance on inquiry • Weak documentation • Bias / lack of scepticism

18. Controls Functions Preventive Detective Corrective Directive Compensating Controls Manual vs

    Automated

19. Control Types Security Policy - Administrative / Managerial MFA -Technical

    / Logical CCTV - Physical Input validation - Application Access - Management Technical / Logical Policies / Training- Organisational Audit - Organisational

20. Testing & Sampling Based on mathematical techniques •Uses: • Random

    selection • Sample size calculations • Confidence levels •Enables: • Quantifiable conclusions • Projection of results to full population Examples: Randomly selecting 50 transactions from 10,000 •Using audit software to generate unbiased samples When to use: • Large populations • When high assurance is required Exam tip: Statistical = objective, defensible, repeatable Judgemental (Non- Statistical) Sampling •Based on auditor experience and judgement •Focuses on: • High-risk items • Unusual transactions • Known problem areas Examples: • Selecting all high- value payments • Reviewing transactions just below approval limits • Targeting prior audit findings When to use: • Risk-focused audits • Limited time or resources Exam tip: Judgemental = risk- focused, but not statistically representative Control Testing •Verifies whether controls are: • Designed effectively • Operating effectively Types of testing: • Inspection (documents, logs) • Observation (watching processes) • Reperformance (redoing the control) • Inquiry (asking staff) Examples: • Checking if MFA is enforced • Reviewing access logs for unauthorised access • Testing change approvals Key concept: Control exists ≠ Control works Sampling Strategy (Risk-Based) •Sampling is driven by: • Risk level • Control criticality • Frequency of transactions High risk: • Larger sample size • More detailed testing Low risk: • Smaller samples • Limited testing Exam tip: Higher risk → increase testing depth, not just coverage Population & Sample Integrity Ensure: • Population is complete and accurate • Sample is representative Risks: • Incomplete data → invalid conclusions • Biased selection → misleading results Example: Testing only successful transactions → misses failures Exceptions & Evaluation •Identify: • Control failures • Deviations from expected behaviour Then assess: • Frequency of exceptions • Impact on risk • Root cause Key decision: Is this: • Isolated issue? • Or systemic control weakness?

21. Sampling Methodology •Ensure auditors can draw reliable conclusions from a

    subset of data, balancing efficiency with audit assurance •Ensure auditors can draw reliable conclusions from a subset of data, balancing efficiency with audit assurance Purpose Purpose •Compliance vs Substantive Testing •Compliance Testing •Verifies whether controls are: •Designed properly •Operating effectively •Example: Checking if approvals are consistently applied •Substantive Testing •Verifies accuracy and completeness of data •Focuses on actual outcomes, not controls •Example: Recalculating financial transactions •Sampling •Selecting a representative subset of data for testing •Used when testing entire population is impractical •Compliance vs Substantive Testing •Compliance Testing •Verifies whether controls are: •Designed properly •Operating effectively •Example: Checking if approvals are consistently applied •Substantive Testing •Verifies accuracy and completeness of data •Focuses on actual outcomes, not controls •Example: Recalculating financial transactions •Sampling •Selecting a representative subset of data for testing •Used when testing entire population is impractical Core Areas Core Areas •Statistical Sampling •Uses probability •Results can be quantified •Non-Statistical (Judgmental) Sampling •Based on auditor judgement •Faster but less precise •Statistical Sampling •Uses probability •Results can be quantified •Non-Statistical (Judgmental) Sampling •Based on auditor judgement •Faster but less precise Sampling Methods Sampling Methods •Risk that the sample does not represent the population •Types: •False Acceptance Concluding controls are effective when they are not •False Rejection Concluding controls are ineffective when they are actually effective •Risk that the sample does not represent the population •Types: •False Acceptance Concluding controls are effective when they are not •False Rejection Concluding controls are ineffective when they are actually effective Sampling Risk Sampling Risk •Compliance testing = control effectiveness •Substantive testing = data accuracy •Sampling must be representative •Sampling risk must be considered •Compliance testing = control effectiveness •Substantive testing = data accuracy •Sampling must be representative •Sampling risk must be considered CISA Exam Focus CISA Exam Focus

22. Evidence Collection Procedures = how you test Evidence = what

    you collect Audit Procedures vs Evidence • Enough evidence to support conclusions • Driven by: • Risk level • Control criticality • Higher risk → more evidence Exam tip: More testing ≠ better → relevant testing matters Sufficiency (Quantity)] Source matters: Exam tip: Always choose most reliable source Reliability (Quality) • Must align to: • Audit objective • Control being tested • Avoid: Excess, unrelated data Key: Evidence must support the specific assertion • Auditor-obtained > Provided by auditee • System-generated > Manual • Written > Verbal Relevance • Documentation (policies, logs, reports) • Interviews (inquiry) • Observation (watch process) • Reperformance (redo control) Inquiry alone = insufficient Evidence Types • Use multiple sources • Cross-check evidence • Resolve inconsistencies Key: Trust but verify Corroboration & Validation Strongest → Weakest: • External • Auditor-generated • Internal documented • Verbal Evidence Hierarchy • Evidence must be: • Traceable • Stored • Reviewable • Supports: • Quality assurance • Reperformance Documentation & Audit Trail 1.Auditor-generated (reperformance) 2.System-generated 3.Internal documents 4.Verbal (weakest) Evidence Strength Ranking (External (bank confirmation)

23. Data Analytics Pattern Analysis •Identifies: • Trends • Relationships •

    Normal behaviour (baseline) •Helps detect: • Process inefficiencies • Emerging risks • Control gaps Examples: • Monthly spending trends by department • Normal login hours for users • Typical transaction values Key idea: Define “normal” → detect “abnormal” Exception Detection •Focus on: • Outliers • Anomalies • Rule violations Examples: • Duplicate payments • Transactions just below approval limits • Unauthorised access attempts • After-hours system activity Exam tip: Exceptions = high-risk focus areas for testing Audit Tools & Techniques •Tools: • Data extraction tools • CAATs (Computer- Assisted Audit Techniques) • BI tools (e.g. dashboards) •Techniques: • Filtering • Sorting • Joining datasets • Continuous monitoring Benefit: Analyse entire populations, not just samples Full Population vs Sampling •Traditional audit: • Sample-based testing •Data analytics: •Full population review Impact: • Increased assurance • Reduced sampling risk • Faster identification of issues Key shift: From testing some → to analysing all Data Quality & Integrity •Ensure: • Completeness • Accuracy • Consistency Risks: • Incomplete datasets → wrong conclusions • Incorrect data → misleading results Exam tip: Always validate data before analysis Sample-based testing Risk-Based Use of Analytics •Use analytics to: • Identify high-risk areas • Refine audit scope • Target testing Example: • Identify top 5% high-value transactions → deeper audit focus Analytics supports risk-based auditing

24. Reporting & Communication Techniques Purpose Ensure audit results are clearly

    communicate d, properly documented, and lead to corrective action and improvement Core Areas Communicating Audit Results • Results must be: • Clear • Accurate • Timely • Tailored to audience: • Technical teams • Management • Board / Audit Committee Focus on impact, not just findings Audit Report Objectives • Provide: • Independent assurance • Insight into control effectiveness • Actionable recommend ations Reports must support decision- making Audit Report Structure & Content Typical components: • Scope and objectives • Methodology • Findings and risks • Recommenda tions • Management responses Must be complete, structured, and evidence- based Audit Documentatio n • Includes: • Work papers • Evidence • Test results • Must be: • Sufficient • Reliable • Traceable Supports audit conclusions and quality Audit Opinion Types • Unqualified (clean) • Qualified (some issues) • Adverse (major failure) • Disclaimer (insufficient evidence) Follow-up Activities • Ensure: • Findings are addressed • Corrective actions implemented • Risks reduced Follow-up is critical for audit value Types of IS Audit Reports • Operational reports • Compliance reports • Financial/IT control reports • Special purpose reports Format depends on audit objective and audience CISA Exam Focus • Reporting must focus on risk and impact • Documentatio n supports audit defensibility • Follow-up ensures control effectiveness over time • Communicati on must be appropriate to audience

25. Quality Assurance Purpose Ensure the audit function is effective, consistent,

    and continuously improving Core Areas Control Self- Assessment (CSA) •Process where business units assess their own controls •Shifts ownership of controls to management Objectives of CSA •Improve control awareness •Encourage accountability •Identify risks early •Strengthen internal control culture Benefits of CSA •Early detection of control weaknesses •Increased management involvement •More efficient use of audit resources •Promotes continuous monitoring Disadvantag es of CSA •Risk of bias or over-optimism •Lack of objectivity •May reduce independent assurance if not validated •Requires strong governance and oversight IS Auditor’s Role in CSA •Facilitate the CSA process •Validate results independently •Ensure methodology is sound •Do NOT rely solely on CSA outcomes Integrated Auditing •Combines: • IT audits • Financial audits • Operational audits •Focus on end- to-end processes and risks Ensures a holistic view of control effectiveness CISA Exam Focus •CSA = management responsibility, not audit ownership •Auditor = facilitator + validator •Integrated auditing = better risk coverage •Quality assurance ensures audit effectiveness over time

26. Summary – Domain 1 •Independent, reports to Board/Audit Committee •Defined

    by Audit Charter (authority, scope, responsibility) Audit Function •Audits focus on high-risk areas, not everything •Driven by business objectives, critical systems, and prior issues Risk-Based Planning – •Auditor only controls Detection Risk (DR) through testing Audit Risk Model - AR = IR × CR × DR •Focus on significant issues, not minor findings Materiality - •Use structured plans and audit programs •Know purpose of audit types (internal, external, compliance, IT, etc.) Planning & Audit Types •Follow ISACA standards (mandatory) •Apply ethics: integrity, objectivity, confidentiality, competence Standards & Ethics •Audits assess processes and risks, not just controls Business Understanding •Risk-based thinking •Professional scepticism •Independence Auditor Mindset

27. CISA Exam Approach Think risk-first and stay independent Read keywords:

    BEST / FIRST / MOST Follow flow: Understand → Evaluate → Test → Report Eliminate answers that are: Not risk-based Too technical (implementation) Relying on others without validation

28. Question 1  An IS auditor is planning an audit

    of a new system implementation. What should be the FIRST step?  A. Review system documentation  B. Identify risks associated with the system  C. Perform control testing  D. Conduct user interviews

29. Question 1 – Answer  An IS auditor is planning

    an audit of a new system implementation. What should be the FIRST step?  A. Review system documentation  B. Identify risks associated with the system  C. Perform control testing  D. Conduct user interviews  Answer: B  Explanation: CISA is always risk-first. Before doing anything, the auditor must identify and understand risks to define scope and approach.

30. Question 2  Which of the following provides the BEST

    evidence of control effectiveness?  A. Management representation  B. Written procedures  C. System-generated logs  D. Auditor observation

31. Question 2 - Answer  Which of the following provides

    the BEST evidence of control effectiveness?  A. Management representation  B. Written procedures  C. System-generated logs  D. Auditor observation  Answer: C  Explanation: System-generated evidence is more reliable and objective than verbal or documented claims.

32. Question 3  An auditor selects a sample of transactions

    randomly. This is an example of:  A. Judgmental sampling  B. Statistical sampling  C. Compliance testing  D. Substantive testing

33. Question 3 - Answer  An auditor selects a sample

    of transactions randomly. This is an example of:  A. Judgmental sampling  B. Statistical sampling  C. Compliance testing  D. Substantive testing  Answer: B  Explanation: Random selection = statistical sampling, which supports unbiased conclusions.

34. Question 4  What is the PRIMARY objective of audit

    planning?  A. Reduce audit cost  B. Ensure audit efficiency  C. Focus on high-risk areas  D. Document procedures

35. Question 4 - Answer  What is the PRIMARY objective

    of audit planning?  A. Reduce audit cost  B. Ensure audit efficiency  C. Focus on high-risk areas  D. Document procedures  Answer: C  Explanation: Audit planning is about prioritising risk, not efficiency or documentation

36. Question 5  Which of the following is the MOST

    important characteristic of audit evidence?  A. Timeliness  B. Relevance  C. Accuracy  D. Independence

37. Question 5- Answer  Which of the following is the

    MOST important characteristic of audit evidence?  A. Timeliness  B. Relevance  C. Accuracy  D. Independence  Answer: B  Explanation: Evidence must be relevant to the audit objective — otherwise it has no value.

38. Question 6  An auditor finds that a control is

    well designed but not consistently performed. This indicates:  A. Control deficiency  B. Design effectiveness  C. Operating effectiveness failure  D. Compensating control

39. Question 6- Answer  An auditor finds that a control

    is well designed but not consistently performed. This indicates:  A. Control deficiency  B. Design effectiveness  C. Operating effectiveness failure  D. Compensating control  Answer: C  Explanation: Design is fine, but execution is not → operating effectiveness issue.

40. Question 7  Which of the following is the BEST

    way to ensure audit independence?  A. Rotating auditors periodically  B. Using external consultants  C. Reporting to senior management  D. Avoiding audit documentation

41. Question 7- Answer  Which of the following is the

    BEST way to ensure audit independence?  A. Rotating auditors periodically  B. Using external consultants  C. Reporting to senior management  D. Avoiding audit documentation  Why C is still correct here  Explanation: C is the only option addressing reporting structure, which is the primary driver of independence

42. Question 8  What is the MAIN purpose of audit

    sampling?  A. Eliminate risk  B. Test all transactions  C. Draw conclusions about a population  D. Reduce audit documentation

43. Question 8- Answer  What is the MAIN purpose of

    audit sampling?  A. Eliminate risk  B. Test all transactions  C. Draw conclusions about a population  D. Reduce audit documentation  Answer: C  Explanation: Sampling allows the auditor to infer conclusions about the full dataset.

44. Question 9  Which of the following should be communicated

    FIRST when reporting audit findings?  A. Recommendations  B. Root cause  C. Impact of the finding  D. Detailed evidence

45. Question 9- Answer  Which of the following should be

    communicated FIRST when reporting audit findings?  A. Recommendations  B. Root cause  C. Impact of the finding  D. Detailed evidence  Answer: C  Explanation: CISA focuses on risk and impact first — what does this mean for the business?

46. Question 10  Which of the following BEST describes ITAF?

     A. A risk management framework  B. A development methodology  C. An audit standards and guidance framework  D. A compliance checklist

47. Question 10- Answer  Which of the following BEST describes

    ITAF?  A. A risk management framework  B. A development methodology  C. An audit standards and guidance framework  D. A compliance checklist  Answer: C  Explanation: ITAF provides audit standards, guidelines, and tools for IS auditing.

48. Question 11  During an audit of a critical production

    system, the IS auditor finds that:  Change management procedures are formally documented  All changes appear to have been approved  However, emergency changes are frequently implemented without post-implementation review  What is the MOST significant risk?  A. Changes may not be properly authorised  B. Ineffective documentation of procedures  C. Undetected errors may remain in production  D. Lack of segregation of duties

49. Question 11- Answer  During an audit of a critical

    production system, the IS auditor finds that:  Change management procedures are formally documented  All changes appear to have been approved  However, emergency changes are frequently implemented without post- implementation review  What is the MOST significant risk?  A. Changes may not be properly authorized  B. Ineffective documentation of procedures  C. Undetected errors may remain in production  D. Lack of segregation of duties  Answer: C  Explanation: The key issue is lack of post-implementation review.  This means: Errors introduced during emergency changes may go undetected  Even if:  Approval exists  Documentation exists  The real risk is operational impact in production

50. Question 12  An organisation recently implemented a new access

    control system for its financial application. During the audit, the IS auditor notes that:  Access rights were approved by management  The system enforces strong authentication  However, user access reviews have not been performed for the past 6 months  What should the auditor do FIRST?  A. Recommend immediate implementation of periodic access reviews  B. Report a control deficiency due to lack of monitoring  C. Assess the risk associated with the lack of access reviews  D. Perform detailed testing of user access rights

51. Question 12- Answer  An organisation recently implemented a new

    access control system for its financial application. During the audit, the IS auditor notes that:  Access rights were approved by management  The system enforces strong authentication  However, user access reviews have not been performed for the past 6 months  What should the auditor do FIRST?  A. Recommend immediate implementation of periodic access reviews  B. Report a control deficiency due to lack of monitoring  C. Assess the risk associated with the lack of access reviews  D. Perform detailed testing of user access rights  Answer: C  Explanation: CISA is always risk-first.  Even though a control gap exists (no access reviews), the auditor must first: Assess the risk and impact  Only then can they:  Decide severity  Recommend corrective action  Determine further testing

52. Key Takeaways Risk-based approach ITAF foundation Think like auditor

53. Next Domain 2: Governance & Management of IT

54. Disclaimer PERSONAL LEARNING JOURNEY BASED ON CURRENT UNDERSTANDING OPEN TO

    INPUT AND DIFFERENT PERSPECTIVES I DO NOT REPRESENT ANY ORGANISATION ONE MAY USE THIS MATERIAL IF YOU WISH TO ALSO LEARN FROM THIS.