PART 2
4. Internal Controls: These are usually policies, procedures, and organizational structures that are used to reduce the risk to the organization.
The effective implementation of an internal control system is the responsibility of the board.
Remember: The CISA question on internal controls should be answered by the top management (BoD CEO, CIO, CISO, etc.) based on the available options. Classification of internal control:
Preventive Controls
Detective controls
Corrective controls

Remember that the CISA question will be scenario-based. This means that the candidate must have a good understanding of all three controls. Preventive Controls: These internal controls are used to prevent an event from happening that could affect the achievement of organizational goals. These are some examples of preventive controls activities:
Background checks for employees
Training for employees and certifications
Access to asset storage areas protected by password
Physical locks for inventory warehouses
Security camera systems
Segregation of duties (i.e. Recording, authorization, custody are all handled separately
Detective controls: These are used to determine when preventive measures have not been effective in preventing errors or irregularities, especially in relation to asset protection. These are some examples of detective control activities:
Bank reconciliations
control totals
Physical inventory counts
Reconciliation of the general ledgers and the detailed subsidiary ledgers
Internal audit functions
Corrective controls: If a problem is identified by detective control activities, corrective control activities should examine the issue and create a plan to prevent it from happening again. Corrective control activities include:
Data backups can be used in the event of a fire, flood, or other disaster to recover lost data
Data validity tests may be required to verify data inputs if the amounts are not within a reasonable range.
Insurance can be used to replace stolen or damaged assets
Management variance reports can be used to highlight variances between budget and actual in order to take corrective action.
To prevent future mistakes and irregularities, training and operations manuals may be revised
5. ISACA develops COBIT
A comprehensive framework to assist enterprises in achieving their goals for the governance and management enterprise IT (GEIT).
COBIT 5 is based on 7 enablers and 5 principles
5 Principles 7 Enablers1. Meeting the needs of shareholders1. Frameworks, Policies, and Principles End-to-End coverage2. Processes3. Holistic Approach3. Organizational Structures Integrated Framework4. Culture, ethics and behavior5. Management and separate governance Information 6. Services, Infrastructure, and Applications 7. People, Skills, and Competencies (Note: A CISA candidate won’t be asked to identify the COBIT process, COBIT domains, or the set IT processes in each. Candidates should be able to identify the frameworks, their purpose, and why they are used in enterprises.
6. Auditing based on risk
The following should be the audit approach:
Step 1: Gather all information available and plan through review prior year’s audit results, financial information, and inherent risk assessments
Step 2: Understanding existing internal controls through analysis of control procedures, detection risks assessment
Step 3 – Perform compliance tests by identifying key controls that will be tested
Step 4 – Perform substantive testing through test of account balances and analytical procedures
Step 5 – End the audit &#