Richard E. Cascarino - The Complete Guide for CISA Examination Preparation

The Complete Guide for CISA Examination Preparation

Internal Audit and IT Audit

Series Editor
Dan Swanson, Dan Swanson and Associates, Ltd.,
Winnipeg, Manitoba, Canada.

The Internal Audit and IT Audit series publishes leading-edge books on critical subjects facing audit executives as well as internal and IT audit practitioners. Key topics include Audit Leadership, Cybersecurity, Strategic Risk Management, Auditing Various IT Activities and Processes, Audit Management, and Operational Auditing.

The Complete Guide for CISA Examination Preparation
Richard E. Cascarino

Blockchain for Cybersecurity and Privacy: Architectures, Challenges, and Applications
Yassine Maleh, Mohammad Shojafar, Mamoun Alazab, Imed Romdhani

The Cybersecurity Body of Knowledge: The ACM/IEEE/AIS/IFIP Recommendations for a Complete Curriculum in Cybersecurity
Daniel Shoemaker, Anne Kohnke, Ken Sigler

Corporate Governance: A Pragmatic Guide for Auditors, Directors, Investors, and Accountants
Vasant Raval

The Audit Value Factor
Daniel Samson

Managing IoT Systems for Institutions and Cities
Chuck Benson

Fraud Auditing Using CAATT: A Manual for Auditors and Forensic Accountants to Detect Organizational Fraud
Shaun Aghili

How to Build a Cyber-Resilient Organization
Dan Shoemaker, Anne Kohnke, Ken Sigler

Auditor Essentials: 100 Concepts, Tips, Tools, and Techniques for Success
Hernan Murdock

Project Management Capability Assessment: Performing ISO 33000-Based Capability Assessments of Project Management
Peter T. Davis, Barry D. Lewis

For more information about this series please visit: https://www.routledge.com/Internal-Audit-and-IT-Audit/book-series/CRCINTAUDITA

The Complete Guide for CISA Examination Preparation

Richard E. Cascarino

First edition published 2021
by CRC Press
6000 Broken Sound Parkway NW, Suite 300, Boca Raton, FL 33487-2742

and by CRC Press
2 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN

2021 Taylor & Francis Group, LLC

CRC Press is an imprint of Taylor & Francis Group, LLC

Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, access www.copyright.com or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. For works that are not available on CCC please contact mpkbookspermissions@tandf.co.uk

Trademark notice : Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe.

ISBN: 9781138308763 (hbk)
ISBN: 9780367551742 (pbk)
ISBN: 9780429030000 (ebk)

Typeset in Caslon Pro
by Deanta Global Publishing Services, Chennai, India

Contents

For any organization to survive and compete successfully in todays environment, successful implementation of appropriate Computer Systems is essential. Such implementation involves not only the development of appropriate systems, but also their usage, maintenance, and reliability. Protection of information assets, systems availability, data integrity, confidentiality, and robustness have become non-negotiables in the competitive world we face today.

In response to this, ISACA has updated its Certified Information Systems Auditor (CISA) certification as of June 2019 to reflect the changing priorities and industry trend in order to ensure the alignment of the Information Systems Auditors knowledge base with the needs of tomorrows digital age.

In order for organizations to utilize the leverage achievable with the effective use of IT, it is important that the systems can be relied upon and they require that the auditors confirm that this is indeed the case. The modern auditors therefore require significantly more knowledge of IT, IT risk, and IT control than did their predecessors. Todays IT systems process data in high volumes and at high speed with limited or no manual interventions and control opportunities. As a result, the control opportunities previously monitored by management have migrated within the IT environment itself. Fundamental business controls previously relied upon by the auditor, such as segregation of duties and management authorization are no longer carried out external to the IT environment and must be audited in a different manner.

The concentration of risk resulting from the shift and control implementation means that the balance between preventative, detective, and corrective controls has also had to move into alignment while technology such as cloud-based systems has moved the basis of legal constraints and burdens of proof in the event of dispute into a whole new arena.

While this may sound negative, these changes can greatly increase opportunities for auditors to deliver quality service because a concentration of risk facilitates the auditors focusing their efforts and utilizing the computer itself to assist in the audit of the IT environment and application systems usage. In addition, built-in program procedures allow the auditor to adopt a systems approach to auditing because the computer encourages consistent execution of controls as opposed to the older manual controls where execution was, to a large extent, at the mercy of the individual supervisor or manager.

The effect on the audit is that the focus can be on the control environment, its design and implementation and the substantive testing of the results of individual transactions can be significantly reduced.

Controls with IT systems may be generally classified into two main subdivisions, namely:

• General controls that is, controls governing the environment within which the computer system is developed, maintained, and operated and within which the application controls operate. These controls include the implementation of appropriate systems development standards, controls over the operation of the computer installation and those governing the functioning and maintenance of System Software. As such, they have a pervasive effect on all application systems.
• Application controls these are the controls which operate within the business application to ensure that data is processed completely, accurately, and in a timely manner.

Ultimately, the auditors job is to determine if the application systems function as intended and evaluate management controls to ensure the integrity, accuracy, and completeness of all information processing.

Not only must management rely upon the work done by the auditors, whether internal or external, but they need assurance that the work is carried out to internationally accepted standards and the audit processes themselves can be relied upon. As such, management seeks independent proof that the work carried out by the auditors meets this standard.