Certified Information Systems

Auditor (CISA)

By: Hussam Kharouf

1
 Course Agenda
• About the presenter
• About the attendees
• Overview of CISA Exam and Certification
• Domain (1): Information Systems Auditing Process
• Domain (2): Governance and Management of IT
• Domain (3): Information Systems Acquisition, Development &
Implementation
• Domain (4): Information Systems Operations and Business
Resilience
• Domain (5): Protection of Information Assets

2
 About the Presenter
• More than 16 years of experience in IT Internal Auditing and
Internal Audit quality assurance in Islamic and commercial banking
and aviation.
• Holding several certifications including:
o CISA

o CIA

o PMP

o ISO 27001 Lead Auditor

o CEH

o CDPSE

o COBIT 2019 Foundation

o ITIL V3 Foundation

3
 About the Attendees
• Name
• Department
• Level of IT knowledge
• Level of auditing knowledge
• Expectations

4
 Overview of CISA Certification

ESTABLISHED

1978
Holders Worldwide
CISA is world-renowned as the
gold standard of achievement
for those who audit, control, 151,000+
monitor Holders in Jordan
and assess an organization’s
information technology and
business systems.
100+
 CISA Domains
Domain (5):
Domain (1):
Protection of
Information
Information
Systems Auditing
Assets
Process
26%
18%

Domain (2):
Governance and
Management of
Information
Technology
18%
Domain (4):
Information
Systems
Operations and
Business
Resilience
Domain (3):
26%
Information
Systems
Acquisition,
Development &
Implementation
12%
6
 CISA Exam
• Exam Format:
o 150 multiple choice questions
• Exam length:
o 240 minutes
• Scoring Criteria:
o Candidate scores are reported as a scaled score
o ISACA uses and reports scores on a common scale from 200 to
800
o Candidate must receive a score of 450 or higher to pass the
exam
o Exam scores are based on the total number of exam items
answered correctly, regardless of domain

7
CISA Certification Experience Requirements
• 5 years of IS audit, control, assurance or security work experience,
with a minimum of 2 years must be from within the CISA job practice
areas
• Waivers:
o General Work Experience: 1 year can be substituted with 1 year
of information systems or financial audit work experience
o Education Experience Waiver:
➢ 2-year waiver for a bachelor’s, master’s or doctorate degree in
any field of study
➢ 3-year waiver for a master’s degree in Information Systems or
a related field

8
 Official CISA Exam Resources
• CISA Review Manual, 28th Edition 2024

• CISA Questions, Answers & Explanations Database 2024: 12-month

subscription to a comprehensive 1,000-question pool of items

9
Domain (1): Information Systems Auditing Process

10
 Pre-assessment

https://forms.gle/A8Fu8RF3MGsASZ6H7
11
 Section A: Planning
• IS Audit Standards, Guidelines, and Codes of Ethics
• Business Processes
• Types of Controls
• Risk-Based Audit Planning
• Types of Audits and Assessments

12
 Section B: Execution
• Audit Project Management
• Sampling Methodology
• Audit Evidence Collection Techniques
• Data Analytics
• Reporting and Communication Techniques
• Quality Assurance and Improvement of the Audit Process

13
 Audit
• Help an organization ensure effective operations;
• Affirm compliance with various regulations;
• Confirm that the business is functioning well;
• Business is prepared to meet potential challenges;
• Gain assurance on the level of protection available for information
assets.
• Assure stakeholders of the financial, operational and ethical well
being of the organization.

14
 IS Audit
• Is the formal examination and/or testing of information systems.
• To determine whether:
o Information systems are in compliance with applicable laws,
regulations, contracts and/or industry guidelines.
o Information systems and related processes comply with
governance criteria and related and relevant policies and
procedures.
o Information systems data and information have appropriate
levels of confidentiality, integrity and availability.
o Information systems operations are being accomplished
efficiently and effectiveness targets are being met.

15
 Types of Audit
• IS audit
• Compliance audit
• Financial audit
• Operational audit
• Integrated audit
• Administrative audit
• Specialized audit
• Computer forensic audit
• Functional audit

16
Integrated Audit

17
 IT Audit Framework (ITAF)
• IT Audit Framework V4 issued in Oct 2020.

• Standards: mandatory requirements for IS audit

and assurance and reporting.

• Guidelines: guidance in applying IS audit and assurance

standards.

• Tools and techniques: provide examples of processes an IS

auditor might follow in an audit engagement.

• ISACA Code of Professional Ethics: guides the professional and

personal conduct of ISACA members and certification holders.

18
 IT Audit Standards and Guidelines
• General (1000 Series): Provide the guiding principles under which
the IS assurance profession operates.

• Performance (1200 Series): Deal with the conduct of the

assignment.

• Reporting (1400 Series): Address the types of reports, means of

communication and the information communicated.

19
 Managing Internal Audit

Standard Guideline
Audit Charter 1001 2001
Organizational Independence 1002 2002
Auditor Objectivity 1003 2003
Reasonable Expectation 1004 2004
Due Professional Care 1005 2005
Proficiency 1006 2006
Performance and Supervision and the IS
1204 2204
Audit
Using the Work of Other Experts 1206 2206

20
 ISACA Code of Professional Ethics
• Support the implementation of, and encourage compliance with,
appropriate standards and procedures.

• Perform their duties with objectivity, due diligence and professional

care, in accordance with professional standards.

• Serve in the interest of stakeholders in a lawful manner.

• Maintain the privacy and confidentiality of information obtained in

the course of their activities.

• Maintain competency in their respective fields.

21
 Audit Charter
• Written document approved by Audit Committee/ Board of
Directors, or senior management if others does not exist.

• Defines:
o Independence

o Purpose and scope

o Authority

o Responsibility

o Management’s responsibility

• Static document and reviewed periodically.

22
 Audit Planning
• Short-term planning involves all audit issues that will be covered
during the year.
• Long-term planning takes into account all risk related issues that
might be affected by the organization’s IT strategic direction.

23
 Risk-Based Audit Planning
• The first step in performing an IS audit is adequate planning.
• To plan an audit, the following tasks must be completed:
o List all the processes that may be considered for the audit.
(Audit Universe)
o Evaluate each process by performing a qualitative or
quantitative risk assessment based on objective criteria and
clear risk factors.
o Define the overall risk of each process.
o Construct an audit plan to include all of the processes that are
rated “high” which would represent the ideal annual audit plan.

24
 Risk Types
• Inherent risk: is the risk level or exposure of the process/entity to be
audited without considering the controls that management has
implemented. Inherent risk exists independent of an audit and can
occur because of the nature of the business.
• Control risk: The risk that a material error exists that would not be
prevented or detected on a timely basis by the system of internal
controls.
• Detection risk: The risk that material errors or misstatements that
have occurred will not be detected by an IS auditor.
• Overall audit risk: The probability that information or financial
reports may contain material errors and that the auditor may not
detect an error that has occurred.
• Sampling risk: the risk that incorrect assumptions are made about
the characteristics of a population from which a sample is selected.
25
 Audit Project Phases

Fieldwork/ Reporting/
Planning
Documentation Follow-up

26
Audit Phases

27
 Audit Planning Steps
• Gain an understanding of the business’s mission, objectives,
purpose and processes.
• Gain an understanding of the Organization’s governance structure
and practices related to the audit objectives.
• Understand changes in business environment of the auditee.
• Review prior work papers.
• Identify stated contents, such as policies, standards and required
guidelines, procedures and organization structure.
• Perform a risk analysis to help in designing the audit plan.
• Set the audit scope and audit objectives.
• Develop the audit approach or audit strategy.
• Assign personnel resources to the audit.
• Address engagement logistics.
28
 Effect of Laws and Regulations
There are two areas of concern that impact the audit scope and
objectives:
• Legal requirements placed on the audit
• Legal requirements placed on the auditee and its systems, data
management, reporting, etc.

29
Planning Phase

30
Planning Phase

31
 Audit Objectives
• A key element in IS audit planning is translating basic audit
objectives into specific IS audit objectives.
• Audit objectives refer to the specific goals that must be
accomplished by the audit. They are often focused on validating
that internal controls exist and are effective at minimizing business
risk.

32
 Audit Programs
• An audit program is a step-by-step set of audit procedures and
instructions that should be performed to complete an audit.
• Audit programs are based on the scope and objective of the
particular assignment.
• It is the audit strategy and plan.
• It identifies scope, audit objectives and audit procedures to obtain
sufficient, relevant and reliable evidence to draw and support audit
conclusions and opinions.

33
Fieldwork/Documentation Phase

34
 General Audit Procedures
• Obtaining and recording an understanding of the audit area/subject
• A risk assessment and general audit plan and schedule
• Detailed audit planning
• Preliminary review of the audit area/subject
• Evaluating the audit area/subject
• Verifying and evaluating the appropriateness of controls designed
to meet control objectives
• Compliance testing
• Substantive testing
• Reporting
• Follow-up
35
 Procedures for Testing and Evaluating
IS Controls
• The use of generalized audit software to survey the contents of
data files (including system logs)
• The use of specialized software to assess the contents of OS
database and application parameter files
• Flow-charting techniques for documenting automated applications
and business processes
• The use of audit logs/reports available in operation/application
systems
• Documentation review
• Inquiry and observation
• Walk-throughs
• Reperformance of controls
36
 Audit Workpapers
• All audit plans, programs, activities, tests, findings and incidents
should be properly documented in work papers.
• Work papers should provide a seamless transition—with traceability
and support for the work performed—from objectives to report and
from report to objectives.

37
 Fraud, Irregularities And Illegal Acts
• The presence of internal controls does not altogether eliminate
fraud.
• An IS auditor should:
o Observe and exercise due professional care in all aspects of
their work.
o Be alert to the possible opportunities that allow fraud to
materialize.
o Be aware of the possibility and means of perpetrating fraud,
especially by exploiting the vulnerabilities and overriding controls
in the IT-enabled environment.
o Have knowledge of fraud and fraud indicators and be alert to the
possibility of fraud and errors while performing an audit.

38
 Testing Methods
• Compliance testing: is evidence gathering for the purpose of testing
an organization’s compliance with control procedures.
• Substantive testing: is evidence is gathering to evaluate the
integrity of individual transactions, data or other information.
• If the results of testing controls (compliance tests) reveal the
presence of adequate internal controls, then minimizing the
substantive procedures could be justified.
• Conversely, if the control testing reveals weaknesses in controls
that may raise doubts about the completeness, accuracy or validity
of the accounts, substantive testing can alleviate those doubts.

39
Relationship Between Compliance
and Substantive Tests

40
 Audit Evidence
• Evidence is any information used by an IS auditor to determine
whether the entity or data being audited follows the established
criteria or objectives and supports audit conclusions.
• Audit conclusions must be based on reliable, sufficient, relevant
and competent evidence.
• Some types of evidence are more reliable than others. Reliability is
determined by:
o The independence of the evidence provider
o The qualifications of the evidence provider

o The objectivity of the evidence

o The timing of the evidence

• Evidence is considered competent when it is both valid and

relevant.
41
 Evidence Gathering Techniques
• Reviewing IS organization structures
• Reviewing IS policies and procedures
• Reviewing IS standards
• Reviewing IS documentation
• Interviewing appropriate personnel
• Observing processes and employee performance
• Reperformance
• Walk-through

42
 Interviews And Observations
• Observing personnel in the performance of their duties assists an
IS auditor in identifying:
o Actual functions
o Actual processes/ procedures
o Security awareness
o Reporting relationships
• Observation drawbacks: Personnel, upon noticing that they are
being observed, may change their usual behavior.

43
 Agile Auditing
• Agile methodologies benefit audit departments through production
of rapid audit results, avoidance of siloed audit and customer
teams, communications in near real time and effective collaboration
with auditees.
• Benefits of Agile Auditing:
o Reduced end-to-end planning.
o Streamlined audit engagements.
o Direct customer collaboration.
o Flexible audit scope.
o Real-time assurance.
o Frequent audit plan updates.

44
Control Relationship to Risk

45
General Control Methods

46
 Control Classifications
Category Description Example
Preventive Inhibit or impede attempts to violate Encryption, user
security policy and practices authentication and
vault-construction doors
Deterrent Provide guidance or warnings that Warning banners on
may dissuade intentional or login screens, acceptable
unintentional attempts at use policies, security
compromise cameras and rewards for
the arrest of hackers
Detective Provide warnings of violations or Audit trails, intrusion
attempted violations of security detection systems (IDSs)
policy and practices without and check sums
inhibiting or impeding the
questionable actions

47
 Control Classifications
Category Description Example
Corrective Remediate errors, omissions, Data backups, error
unauthorized uses and intrusions correction and
when detected automated failover
Compensating Offset a deficiency or weakness in
the control structure of the
enterprise, often because the
baseline controls cannot meet a
stated requirement due to legitimate
technical or business constraints

Detective and preventive controls are used to reduce the likelihood of

a threat event (the probability of something happening), while
corrective controls are intended to mitigate the consequences

48
 Controls Framework
• Center for Internet Security (CIS)
• OWASP Software Assurance Maturity Model (SAMM)
• Service Organization Controls (SOC) reports
• Payment Card Industry (PCI) Data Security Standard (DSS)
• Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

49
 Business Application Controls
Business
Application Example Risks Related Controls
System
Ecommerce Structured Query Secure coding training for
Language (SQL) developers, system development
injection attacks life cycle (SDLC) code reviews
and form input validity checks
Electronic data Transmitted data is at Appropriate encryption controls
interchange (EDI) risk of being intercepted should be used to ensure the
and potentially confidentiality and integrity of
manipulated or transmitted data
compromised
Email Social engineering Spam filtering, hyperlink
verification and phishing training
for email users

50
 Business Application Controls
Business
Application Example Risks Related Controls
System
Industrial control Highly sensitive and if Adding perimeter security
systems (ICS) compromised can have controls, such as network
a direct impact on segmentation and multifactor
human life authentication
Artificial Al systems rely on Proper level of expertise was
intelligence (Al) learned data and used in developing the basic
and expert associated decision assumptions and formulas
systems trees that can be
inherently biased

51
 Control Self Assessment (CSA)
• Is the self-assessment of controls by process owners. For CSA, the
employee understands the business process and evaluates the
various risks and controls. CSA is a process whereby the process
owner gains a realistic view of their own performance.
• CSA ensures the involvement of the user group in a periodic and
proactive review of risk and control.

52
 Objectives of CSA
• Make functional staff responsible for control monitoring.
• Enhance audit responsibilities (not to replace the audit’s
responsibilities).
• Concentrate on critical processes and areas of high risk.

53
 Benefits of CSA
• It allows risk detection at an early stage of the process and reduces
control costs.
• It helps in ensuring effective and stronger internal controls, which
improves the audit rating process.
• It helps the process owner take responsibility for control monitoring.
• It helps in increasing employee awareness of organizational goals.
It also helps in understanding the risk and internal controls.
• It improves communication between senior officials and operational
staff.
• It improves the motivational level of the employees.
• It provides assurance to all the stakeholders and customers.
• It provides assurance to top management about the adequacy,
effectiveness, and efficiency of the control requirements.
54
 Disadvantages of CSA
• It could be mistaken as an audit function replacement.
• It may be regarded as an additional workload (e.g. one more report
to be submitted to management).
• Failure to act on improvement suggestions could damage
employee morale.
• Lack of audit knowledge may limit effectiveness in the detection of
weak controls.

55
 IS Auditor’s Role in CSA
• The IS auditor’s role is to act as a facilitator for the implementation
of CSA.
• It is the IS auditor’s responsibility to guide the process owners in
assessing the risk and control of their environment.
• The IS auditor should provide insight into the objectives of CSA.
• An audit is an independent function and should not be waived even
if CSA is being implemented.
• Both CSA and an audit are different functions and one cannot
replace the other.

56
 Sampling
• Sampling is used to infer characteristics about a population based
on the characteristics of a sample.
• Sampling approaches:
o Statistical sampling uses an objective method to determine the
sample size and selection criteria. (Each item in the population
should have an equal opportunity or probability of being
selected)
o Non-statistical (judgmental) sampling uses the IS auditor’s
judgment (subjective) to determine the sample size and
selection criteria.

57
 Sampling Methods - Attribute
Sampling
• Attribute sampling is the simplest kind of sampling based on certain
attributes; it measures basic compliance.
• It answers the question, “How many?”
• It is expressed as a percentage—for example, “90% complied.”
• Attribute sampling is usually used in compliance testing.
• Types:
o Attribute sampling (fixed sample-size attribute sampling or
frequency-estimating sampling
o Stop-or-go sampling:
➢ Stop-or-go sampling is used where controls are strong and
very few errors are expected.

58
 Statistical Sampling Terminology

Term Definition
Confidence A confidence coefficient, or confidence level, is a measure
Coefficient of the accuracy of and confidence in the quality of a
sample. The sample size and confidence correlation are
directly related. A high sample size will give a high
confidence coefficient.
Level of Risk The level of risk can be derived by deducting the
confidence coefficient from 1.
Expected Error This indicates the expected percentage of errors that may
Rate exist. When the expected error rate is high, the auditor
should select a higher sample size.
This figure is applied to attribute sampling formulas but not
to variable sampling formulas.
Sample Mean The sample mean is the average of all collected samples. It
is derived by adding all the samples and dividing the sum
by the number of samples.
59
 Statistical Sampling Terminology

Term Definition
Sample Standard This indicates the variance of the sample value from the
Deviation sample mean.
Tolerable Error This indicates the maximum error rate that can exist
Rate without the audit result being materially misstated.
Population A mathematical concept that measures the relationship to
standard the normal distribution. The greater the standard deviation,
deviation the larger the sample size.
This figure is applied to variable sampling formulas but not
to attribute sampling formulas.
Precision Set by an IS auditor, the acceptable range difference
between the sample and the actual population.
The higher the precision amount, the smaller the sample
size and the greater the risk of fairly large total error
amounts going undetected. The smaller the precision
amount, the greater the sample size.
60
 Sampling Methods - Attribute
Sampling
➢ It helps to prevent excess sampling by allowing the audit test
to end at the earliest possible moment.
o Discovery sampling
➢ Discovery sampling is used when the objective is to detect
fraud or other irregularities.
➢ If a single error is found, the entire sample is believed to be
fraudulent/ irregular.

61
 Sampling Methods - Variable
Sampling
• Variable sampling offers more information than attribute sampling.
• It answers the question, “How much?”
• It is expressed in monetary value, weight, height, or some other
measurement—for example, “an average profit of $25,000.”
• Variable sampling is usually used in substantive testing.
• Types:
o Stratified mean per unit- A statistical model in which the
population is divided into groups and samples are drawn from
the various groups; used to produce a smaller overall sample
size relative to unstratified mean per unit.
o Unstratified mean per unit- A statistical model in which a sample
mean is calculated and projected as an estimated total.
62
 Sampling Methods - Variable
Sampling
o Difference estimation- A statistical model used to estimate the
total difference between audited values and book (unaudited)
values based on differences obtained from sample observations.

63
 Sampling Risk

• The risk of incorrect acceptance-A material weakness is assessed

as unlikely when, in fact, the population is materially misstated.
• The risk of incorrect rejection A material weakness is assessed as
likely when, in fact, the population is not materially misstated.

64
Sampling Steps

65
Sampling Summary

66
 Audit Data Analytics
• An IS auditor can use data analytics to:
• Determine the operational effectiveness of the current control
environment
• Determine the effectiveness of antifraud procedures and controls
• Identify business process errors
• Identify business process improvements and inefficiencies in the
control environment
• Identify exceptions or unusual business rules
• Identify fraud
• Identify areas where poor data quality exists
• Conduct a risk assessment at the planning phase of an audit
67
 Collecting & Analyzing Data
• Setting the scope
• Identifying and obtaining data
• Validating the data
• Executing the tests
• Documenting the results
• Reviewing the results
• Retaining the results

68
 Data Analytics Examples
• To determine whether a user is authorized by combining logical
access files with the human resource employee database
• To determine whether events are authorized by combining the file
library settings with change management system data and the date
of file changes
• To identify tailgating by combining input with output records
• To review system configuration settings
• To review logs for unauthorized access

69
 Computer-Assisted Audit Techniques
• CAATs are extremely useful to IS auditors for gathering and
analyzing large and complex data during an IS audit. CAATs help
an IS auditor collect evidence from different hardware, software
environments, and data formats.

70
 CAATs Types

CAAT Tools Functions

General Audit This is a standard type of software that is used to
Software read and access data directly from various
database platforms.
Utility and Scanning This helps in generating reports of the database
Software management system. It scans all the
vulnerabilities in the system.
Debugging This helps in identifying and removing errors from
computer hardware or software.
Test Data This is used to test processing logic,
computations, and controls programmed in
computer applications.

71
 CAATs Considerations
• Ease of use, both for existing and future audit staff
• Training requirements
• Complexity of coding and maintenance
• Flexibility of uses
• Installation requirements
• Processing efficiencies (especially with a PC CAAT)
• Effort required to bring the source data into the CAATs for analysis
• Ensuring the integrity of imported data by safeguarding their
authenticity
• Recording the time stamp of data downloaded at critical processing
points to sustain the credibility of the review
• Obtaining permission to install the software on the auditee servers
• Reliability of the software
• Confidentiality of the data being processed
72
 Continuous Auditing and Monitoring
• In continuous auditing, an audit is conducted in a real-time or near-
real-time environment. In continuous auditing, the gap between
operations and an audit is much shorter than under a traditional
audit approach. e.g. high payouts are audited immediately after a
payment is made.
• In continuous monitoring, the relevant process of a system is
observed on a continuous basis. e.g. antivirus or IDSs may
continuously monitor a system or a network for abnormalities.

73
 Continuous Auditing Techniques
Technique Description Complexity Useful When
Involves embedding specially
Regular
written audit software in the
SCARF/ processing
organization’s host application Very high
EAM cannot be
system so the application systems
interrupted.
are monitored on a selective basis.
involves taking what might be
termed “pictures” of the processing An audit trail
Snapshots Medium
path that a transaction follows, from is required.
the input to the output stage.
involves embedding hooks (e.g.,
Only select
logging and monitoring triggers) in
transactions
Audit application systems to function as
Low or processes
hooks red flags and induce IS security and
need to be
auditors to act before an error or
examined.
irregularity gets out of hand.
74
 Continuous Auditing Techniques
Technique Description Complexity Useful When
dummy entities are set up and
included in an auditee’s production
files. The operator enters the test
transactions simultaneously with
Integrated It is not
the live transactions that are
test facility High beneficial to
entered for processing. An auditor
(ITF) use test data.
then compares the output with the
data that has been independently
calculated to verify the correctness
of the computer processed data.
Continuous During a process run of a Transactions
and transaction, the computer system meeting
intermittent simulates the instruction execution Medium certain criteria
simulation of the application. need to be
(CIS) examined.
75
 Artificial Intelligence in IS Audit
• IS auditors may benefit from using AI/ML techniques to increase
overall audit efficiency or decrease audit risk.
• Efficiency can be gained through automating tedious manual
processes like audit work paper markups or data manipulation.
• Audit risk may be decreased through the ability to increase audit
sample sizes or provide auditors with more time and information to
analyze audit results for further testing and follow up.

76
Artificial Intelligence in IS Audit

77
 Artificial Intelligence in IS Audit
• Al/ML audit risk and considerations:
o Inadequate testing of AI outcomes can produce questionable
results or audit outcomes.
o Training data fed to algorithms, particularly ML algorithms,
should be correct and adequate.
o The tendency to trust the machine’s answer is strong, but
justified only if the correctness has been exhaustively tested and
the machine actually answers the appropriate questions.
o Using AI tools built by humans introduces the ethics and bias of
human judgment and stereotyping.

78
Reporting/Follow-Up Phase

79
 Communicating Audit Results
• The IS auditor communicates the audit results in an exit interview
with management.
• During the exit interview, the IS auditor should:
o Ensure that the facts presented in the report are correct.
o Ensure that the recommendations are realistic and cost-
effective, and if not, seek alternatives through negotiation with
auditee management.
o Recommend implementation dates for agreed upon
recommendations.
• The IS auditor can present the results of the audit in an executive
summary or a visual presentation.

80
 Communicating Audit Results
• Before communicating results of the audit to senior management,
the IS auditor should discuss the findings with the key process
owners to gain an agreement on the findings and develop a course
of corrective action.
• IS auditors should feel free to communicate issues or concerns with
senior management or the audit committee.
• Sometimes, auditee management may not agree with the audit
findings and recommendations. In such cases, IS auditors should
emphasize the significance of the audit findings and the risk of not
taking any corrective action.
• If there is any control weakness that is not within the scope of the
audit, it should be reported to management during the audit
process. This should not be overlooked. Generally, accepted audit
procedures require audit results to be reported even if the auditee
takes corrective action prior to reporting.
81
 Audit Report Objectives
• The presentation of audit findings/results to all the stakeholders
(that is, the auditees).
• The audit report serves as a formal closure for the audit committee.
• The audit report provides assurance to the organization. It identifies
the areas that require corrective action and associated suggestions.
• The audit report serves as a reference for any party researching the
auditee or audit topic.
• It helps in follow-ups of audit findings presented in the audit reports
for closure.
• A well-defined audit report promotes audit credibility. This depends
on the report being well developed and well written.

82
 Audit Report
• ISACA IS Audit and Assurance Standard (1401 Reporting):
o Audit reports present the IS auditor’s findings and
recommendations to management. They are the end product of
the IS audit work.
o The report should be balanced, describing not only negative
issues in terms of findings but positive constructive comments
regarding improving processes and controls or effective controls
already in place.

83
 Audit Report Structure
The audit report format and structure is dependent on the
organization’s audit policies and procedures, but reports usually have
the following structure and content:
• An introduction to the report, including the audit objectives,
limitations and scope, the period of audit coverage, and a general
statement on the procedures conducted and processes examined
during the audit, followed by a statement on the IS audit
methodology and guidelines
• Audit findings, often grouped in sections by materiality and/or
intended recipient
• The IS auditor’s overall conclusion and opinion on the adequacy of
controls and procedures, and the actual potential risk identified as a
consequence of detected deficiencies
• The IS auditor’s reservations or qualifications with respect to the
audit. 84
 Audit Documentation
• Audit documentation provides the necessary evidence that support
the audit findings and conclusions.
• It should be clear, complete, and easily retrievable.
• It is the property of the auditing entity and should only be accessible
to authorized personnel.
• All audit documentation should be:
o Dated

o Initialed

o Page-numbered

o Self-contained

o Properly labeled

o Kept in custody

85
 Audit Documentation
• Audit documentation should include, at a minimum, a record of the
following:
o Planning and preparation of the audit scope and objectives

o Description and/or walk-throughs on the scoped audit area

o Audit program

o Audit steps performed and audit evidence gathered

o Use of services of other auditors and experts

o Audit findings, conclusions and recommendations

o Audit documentation relation with document identification and

dates

86
 Follow-up Activities
• It is the IS auditor’s responsibility to ensure that management has
taken appropriate corrective actions.
• A follow-up program should be implemented to manage follow-up
activities.
• Timing of follow-up depends on the criticality of the audit findings.
• Results of the follow-up should be communicated to the appropriate
level of management.

87
 Quality Assurance and Improvement
It is important that the audit process itself improves continuously,
through:
• Audit Committee Oversight
• Audit Quality Assurance
• Audit Team Training and Development
• Monitoring, e.g.
o Audit QA

o Independence monitoring

o Certification and accreditations

o Continued professional education

88
 Post-assessment

https://forms.gle/A8Fu8RF3MGsASZ6H7
89
90
Thank You!

91