The Audit Process of Information System [Part-1]

Updated: Dec 31, 2020

The value of CISA

International Certified Information System Auditor is referred to as CISA, also known as IT auditor. CISA has become the most sought-after top talent in the world. Most people with CISA vocational qualification certificates hold important positions in the top five international accounting companies, professional consulting institutions, and world-renowned multinational companies.

According to the salary index and ranking of multiple information technology skills and certificates, CISA has been among the highest-paid certificates in the past three years.

The Audit Process of Information System

Hashtags: #CISA #Auditor #InformationSecurity #SecurityAuditor #InformationSystem #CTCL #ISA #CISSP #DISA #IT #AuditorIT #InformationTechnologyAssuranceFramework #ITAF

According to the analysis of the British Government’s Cyber Security Skills Report, CISA is one of the most important certificates for employers when recruiting employees.

CISA is a prerequisite for the Australian Government's iRAP certificate and a necessary certificate designated by the Australian Signals Agency.

The Securities Exchange of India (SEBI) stipulates that suppliers of computer-to-computer connection (CTCL) trading software must be audited by auditors who hold CISA/CISSP/ISA/DISA certificates. The Indian Income Tax Department requires all electronic receipt intermediaries to obtain a CISA certificate or pass ISA certification.

Pass the CISA exam, a CISA certificate, whether for individuals or businesses is a great help. Through CISA training, students can improve IT audit and information security-related necessary knowledge and skills can help enterprises and institutions to train a group of professional QUALIFICATIONS of IT auditors, control and security personnel, in order to obtain qualification certification to improve the CISA examination review efficiency.

1. IS audit and assurance standards, guidelines, tools, professional ethics

Information Technology Assurance Framework (ITAF):

a. Auditing standards: mandatory requirements

  1. General guidelines: basic audit guidelines

  2. Implementation criteria: involving the implementation and management of tasks

  3. Reporting standards: implement report types, communication methods, and communication information

b. Audit Guide: Focus on audit methods and theories

c. Tools and technology (also called programs): provide various methods, tools, and templates.

The relationship between the three: IS auditors must comply with auditing standards, auditing guidelines help to apply auditing standards, and auditing tools and techniques provide examples of specific processes and steps

2. Risk assessment concepts, tools, and techniques

The definition of risk: "Risk is the possibility of a specific threat using the vulnerability of an asset to cause damage to the organization. ("ISO/IEC PDTR13335-1).

The five-step process of risk assessment:

  1. Identify business objectives (BO, Business Object)

  2. Identify information assets (IA, Information Asset)

  3. Conduct a risk assessment (RA, Risk Assessment): threat→vulnerability→possibility→impact

  4. Carry out risk mitigation (RM, Risk Mitigation): implement relevant controls

  5. Carry out risk treatment (RT, Risk Treatment)

Risk-based 5-step audit:

  1. Collect information and plans

  2. Understand internal control

  3. Execute compliance test

  4. Perform substantive testing

  5. Complete the audit and report

Audit risk: The risk of major errors that may not be found in the information during the audit process.

  • Inherent Risk: The business's own risk, the risk when no control is taken

  • Control Risk (Control Risk): the risk still exists after taking control

  • Detection Risk: The risk of drawing the wrong conclusions

  • Overall audit risk (Overall Audit Risk): a comprehensive assessment of various audit risks for each control objective.

Audit materiality (Materiality): Can be regarded as a serious error by the organization in terms of the extent of the problem.

  • Sampling cannot detect all errors in the sample population, but it can reduce the inspection risk to an acceptable level.

  • Small errors may not be serious, but when they are combined, they may make the nature of these errors significant.

  • Materiality requires reasonable judgment by IS auditors, and it is difficult to determine materiality.

4 methods of risk disposal (the acceptable standard of risk should be determined first):

  1. Reduce risk (Mitigate): take appropriate controls to reduce risk

  2. Accept the risk (Accept): Under the risk acceptance standard of the organization, accept the risk

  3. Avoid risk (Avoid): stop the business activities that generate risks, thereby avoiding risks

  4. Transfer risk (Transfer): transfer risk to other organizations

3 techniques of risk assessment:

  1. Scoring mechanism

  2. Subjective judgment

  3. Combine the two

3. Information system related control objectives and control measures

Two key contents of internal control: what to achieve and what to avoid.

Three categories of control: preventive, detectable, corrective

5 key principles of COBIT5:

  1. Meet the needs of stakeholders

  2. End-to-end coverage of enterprises

  3. Adopt a single integrated framework

  4. Enable a holistic approach

  5. Distinguish management and governance (the board is responsible for governance, and the management is responsible for management)

4. Audit planning and audit project management techniques

Category 4 Audit plan

  1. Annual plan

  2. Short-term plan: audit items to be implemented in the year

  3. Long-term plan: consider the risk of the organization's adjustment of the IT strategy to the impact of the IT environment

  4. Single audit task

The audit process and 8 steps:

  1. Audit object: determine the audit field

  2. Audit objectives: clear audit objectives

  3. Scope of audit: determine the specific system, function or unit to be checked

  4. Preliminary audit plan: determine required skills and resources; determine information sources for testing and inspection; determine audit locations and facilities

  5. Audit procedures and steps: select test methods; determine interview subjects; collect policies and standards; develop audit tools

  6. Evaluation test and inspection results

  7. Communicate the results with management personnel

  8. Audit report


Launched in 2016 as 591Lab International. We are committed to offering our clients excellent experience on ISACA, PMI, Cisco and Huawei examination preparatory services. We focus strongly on popular exams, and exam preparations services. We provide our customers with the complete training needed to earn the best scores for their respective Management and IT career certifications. We have a huge list of satisfied customers with top grades to back up all the claims we make.

Quick Links


#1    Emma Xiu

Whatsapp: +86 135 2066 9321


#2    Zoey Pei

Whatsapp: +86 157 3679 8918


#3    Jenny Zhang

Whatsapp: +86 185 1429 4188


This material is not sponsored by, endorsed by, or affiliated with Cisco Systems, Inc & Huawei Technologies Co., Ltd. Cisco Certified Internetworking Engineer, the Cisco Systems logo and the CCIE™ logo are trademarks or registered trademarks of Cisco Systems, Inc. in the United States and certain other countries.Huawei Certified Internetwork Expert, the Huawei logo and the HCIE™ logo are trademarks or registered trademarks of Huawei Technologies Co., Ltd . in China and certain other countries All other trademarks are trademarks of their respective owners. 

© Copyright 591Lab 2020. All Rights Reserved.