-
8/9/2019 CISA Notes
1/3
1. Gramm leach Bliley Act is for regulation ofi2. Federal
information security management act is for regulation ofii3. HIPAA
Health Information portability and Accountability act4. Fair and
Accurate credit transaction act iii5. What is used as reference
point to ensure organizational complianceiv6. Policy and Standards
are mandatory, whereas guideline is discretionary7.
Policy->Standard->guideline->procedure8. Information
obtained by IS Auditor has to be maintained with privacy and
confidentiality except
forv
9. Relationship between CISA Auditor and Organization should be
vi10.An advice by IS auditor to organization on design decision,
detailed specification or remediation
of organization isvii
11.PCAOB AS-1, SAS-1,SAS-37 and SAS-74 talks aboutviii12.Two
types of audit are ix13.CISA IS Audit Standards
a. S1 Audit Charterb. S2 Independencec. S3- Professional ethics
and standards of coded. S4 Professional competencee. S5- Planningf.
S6- Performance of Audit workg. S7-Audit reportingh. S8-Followup
activitiesi. S9-Irregularities and Illegal actsj. S10-IT
Governancek. S11- Use of Risk analysis in Audit planning
14. IS Audit standards types or phases (for remembering purpose
only)a. Requirements and Eligibility (AIPP)
i. Audit charterii. Independence
iii. Professional ethics and standards of codeiv. Professional
competence
b. Planning (P)i. Planning
c. Execution and closure (PAWAR FACT)i. Performance of Audit
Workii. Audit Reporting
iii. Followup Activitiesd. M anagement (III URAAP)
i. Irregularities and Illegal Actsii. IT Governance
iii. Use of Risk Analysis in Audit planning
-
8/9/2019 CISA Notes
2/3
15. Is followup a responsibility of Audit or he is authorized
only to do auditx16. If the word should appears in a statement in
regulation, it meansxi17.The only difference between Internal and
external auditor is xii18.Act 906 under SOX - xiii19.Act 302 under
Sox - xiv20.SOX is essentially a xv21.Effectiveness and efficiency
of operational practices is verified by xvi22.The Audit that
verifies whether appropriate policies and procedures are in place
and if they are
implemented is calledxvii
23.Maintaining audit report is responsibility of client24.What
is discovery requests?xviii25.To plan for an audit, the auditor
should question in following topics to understand the business
requirement. They arexix
26. Identifying restrictions on scope is part of audit
pre-planning27.Four type of risk responses are
a. Accept the riskb. Mitigatec. Transferd. Avoid
28.Materiality refers to xx29.Sampling and non sampling risk are
xxi30.Non sampling risks are associated with xxii31.Audit risk does
not include risks ofxxiii32.Residual risk is one that xxiv33.During
planning phase, what type of risks should Auditor should be
concerned with xxv34.SAS-70 focus on xxvi35.To audit a service
provider, what is required?xxvii36.
iFinancials transaction
iiGovernment
iiiCredit processing
ivStandards
vDisclosure to Legal authoritities
viIndependent. i.e auditor should not be professionally,
personally or organizationally related (For external
auditors)
viiViolation of auditor independence
viiiAuditor independence
ixixCompliance (against a standard) and substansive (against a
claim)
xAuditor is also responsible for followups
xiIt is a recommended or discretionary . For required and
mandatory it will be shall
xiiAuditor independence
xiiiManagement attests to integrity of financials and indicate
that no hidden or questionable transaction exists
-
8/9/2019 CISA Notes
3/3
xiv
management attests that full disclosure of the internal controls
has been made to the audit committee, and that
no deficiencies or weaknesses were withheldxv
Disclosure lawxvi
SAS-70xvii
Administrative auditxviii
Asking for necessary documentation from the client during
planning phasexix
Knowledge of Business, Strategic objectives, Financial objective
ROI), operational objectives (Internal Control)xx
Evidence that is significant and could change the outcomexxi
Detection riskxxii
Inappropriate use of procedures or inconsistent
proceduresxxiii
Technology, business or operational (BTO)xxiv
Remains after all mitigation efforts are performed
xxvIDC Inherent, Detection and control
xxviAvoiding multiple organization auditing the service
provider
xxviiClients original outsource contract should have included a
provision for the right to audit along with service
level agreement. It must clearly state if SAS-70 is acceptable
or individual audit is required.
