CISA DOMAIN 1 (Part 3), THE PROCESS ON AUDITING INFORM SYSTEMS

PART 3
8.Compliance testing vs. substantive testing. Compliance testing determines whether controls comply with management policies.
Examples:
Access rights for users
Procedures for program change control
Log review
Software license audit
Substantive Testing – Gathers evidences to assess the integrity of individual transactions, data, or other information
Examples:
Perform a complex calculation using a sample basis
Test of account balances
Here are some points to keep in mind:
CISA questions will be scenario-based and candidates should be able to distinguish between substantive and compliance testing.
When the probability of error must not be subjectively quantified, statistical sampling should be used Statistical sampling is an objective sampling method in which every item has equal chance to be selected.

9.Audit EvidenceAny information used by the IS auditor for determining whether the entity or data being inspected follows established criteria or objectives. This information supports audit conclusions
Techniques for gathering evidence
Review IS organizational structures
Review IS policies and procedures
Review the IS standards
Check out the IS documentation
Interview appropriate personnel
Observe employee performance and processes
Walkthrough

Remember: A CISA candidate should be able, given an audit scenario to choose which evidence gathering technique to use.
10.Audit SamplingThis subset of the population was used to perform testing
Two methods of sampling
Statistical sampling – Using mathematical laws of probability to create the sample size
Non-Statistical sampling – Uses auditor judgement to determine the sampling method

Methods of sampling
There are three types: Attribute sampling – Used in compliance testing situations. It deals with the presence and absence of an attribute and gives conclusions expressed in rates of incidence. There are three types.
Stop-or-Go Sampling: This model helps to prevent excessive sampling of an attribute, by allowing an audit test stop at the earliest moment. It is used when the auditor believes that there will be relatively few errors in populations.
Discovery sampling – This is used when audits are intended to uncover fraud.

There are three types: There are three types.
Un-stratified means per unit – A statistical model where the sample mean (Average), is calculated and projected to be an estimated total.
Difference estimation – A statistical model that estimates the total difference between audited and unaudited values using differences from sample observations.

Important terms in statistics: Confident coefficient (CC). – A percentage expression of how likely it is that the characteristics of the sample are representative of the population. Higher confidence coefficients are associated with better internal control
Level of risk – Equal one minus the confidence co-efficient [if confident coefficient is 95%, then the level of risk would be (100-95= 5%)].
Expected error rate (ERR), a percentage of possible errors, is an estimate. The larger the sample size, the higher the ERR.

Remember: The IS auditor must be familiar with all sampling techniques and when they are appropriate.
11.Control Self-assessment (CSA)/strong 1. What is CSA?
A

Related Posts

Drive Letters

By Val Bakh 2.4.1 Drive letters (part 1)Disk drives can be referred to using alphabet letters. Drives A and C were used commonly for floppy disk drives….

Drive Letters (Part 2)

By Val Bakh 2.4.2 Drive letters (part 2) In the first part, we covered the basics of drive letter assignment and the changes that Windows Vista has…

Activation Part 2

2.2.2 A product code in an answer file. Let’s say you have a WIM image of Windows 7 Enterprise and a Multiple Activation Key (MAK). How do…

Activation Part 1

By Val Bakh2.2 Activation 2.2.1 Volume activation Every Windows 7 installation must be activated. It is a legal requirement to ensure that the operating system is properly…

Microsoft Vista Tips and Tricks

By Val Bakh 1. Vista 1.1. Boot architecture All Windows versions that are designed for business, starting with Windows NT include built-in support to multiboot configurations. Multiple…

Multicloud Storage Service Spans AWS Microsoft Azure Nimble Storage Inc. has today launched a beta offering that claims to be the only enterprise-grade multicloud block store service for Amazon Web Services Inc. (AWS), and Microsoft Azure public cloud. The product is called Nimble Cloud Volumes, and its enterprise-grade availability as well as data services can be used to help organizations move new types enterprise apps to the cloud. Nimble Storage believes that the first wave cloud apps will be mostly content-centric, native Web and mobile apps. They lack enterprise-friendly features like data durability and data services such as snapshots, and the ability to share the same volumes with multiple hosts. The next wave of cloud applications comprises traditional transactional-centric workloads — like transactional databases — moving to the public cloud space, with stringent storage requirements. The company stated that NCV flash-based storage could provide enterprise functionality, opening up new frontiers. It also offers other benefits, such as the elimination of cloud vendor lock-in, better data reliability, and uninterrupted data access. Ajay Singh, a senior executive at AWS, stated that the NCV service delivers flash storage volumes or block storage to AWS EC2 instances and Azure Virtual machines. It offers significant advantages over native cloud block storage services such as Amazon EBS and Azure Disk Volumes. The company highlighted the following three main benefits of the new NCV service:

Data mobility between public clouds or on-premises datacenters is easy without large data egress fees. Global visibility and predictive analytics allow for information such as usage history,…