PART 3

8.Compliance testing vs. substantive testing. Compliance testing determines whether controls comply with management policies.

Examples:

Access rights for users

Procedures for program change control

Log review

Software license audit

Substantive Testing – Gathers evidences to assess the integrity of individual transactions, data, or other information

Examples:

Perform a complex calculation using a sample basis

Test of account balances

Here are some points to keep in mind:

CISA questions will be scenario-based and candidates should be able to distinguish between substantive and compliance testing.

When the probability of error must not be subjectively quantified, statistical sampling should be used Statistical sampling is an objective sampling method in which every item has equal chance to be selected.

9.Audit EvidenceAny information used by the IS auditor for determining whether the entity or data being inspected follows established criteria or objectives. This information supports audit conclusions

Techniques for gathering evidence

Review IS organizational structures

Review IS policies and procedures

Review the IS standards

Check out the IS documentation

Interview appropriate personnel

Observe employee performance and processes

Walkthrough

Remember: A CISA candidate should be able, given an audit scenario to choose which evidence gathering technique to use.

10.Audit SamplingThis subset of the population was used to perform testing

Two methods of sampling

Statistical sampling – Using mathematical laws of probability to create the sample size

Non-Statistical sampling – Uses auditor judgement to determine the sampling method

Methods of sampling

There are three types: Attribute sampling – Used in compliance testing situations. It deals with the presence and absence of an attribute and gives conclusions expressed in rates of incidence. There are three types.

Stop-or-Go Sampling: This model helps to prevent excessive sampling of an attribute, by allowing an audit test stop at the earliest moment. It is used when the auditor believes that there will be relatively few errors in populations.

Discovery sampling – This is used when audits are intended to uncover fraud.

There are three types: There are three types.

Un-stratified means per unit – A statistical model where the sample mean (Average), is calculated and projected to be an estimated total.

Difference estimation – A statistical model that estimates the total difference between audited and unaudited values using differences from sample observations.

Important terms in statistics: Confident coefficient (CC). – A percentage expression of how likely it is that the characteristics of the sample are representative of the population. Higher confidence coefficients are associated with better internal control

Level of risk – Equal one minus the confidence co-efficient [if confident coefficient is 95%, then the level of risk would be (100-95= 5%)].

Expected error rate (ERR), a percentage of possible errors, is an estimate. The larger the sample size, the higher the ERR.

Remember: The IS auditor must be familiar with all sampling techniques and when they are appropriate.

11.Control Self-assessment (CSA)/strong 1. What is CSA?

A