The Certified Information Systems Auditor E-Book

The Certified Information Systems Auditor: Reference Guide

Azhar ul Haque Sario

Copyright

Copyright © 2025 by Azhar ul Haque Sario

All rights reserved. No part of this book may be reproduced in any manner whatsoever without written permission except in the case of brief quotations embodied in critical articles and reviews.

First Printing, 2025

[email protected]

ORCID: https://orcid.org/0009-0004-8629-830X

LinkedIn: https://www.linkedin.com/in/azharulhaquesario/

Disclaimer: This book is free from AI use. The cover was designed in Microsoft PowerPoint.

Disclaimer: This publication is independently produced by the author under nominative fair use. It is not affiliated with, endorsed by, or sponsored by ISACA® or the Certified Information Systems Auditor (CISA) certification board in any form. All rights reserved © 2025 by Azhar ul Haque Sario.

Contents

Copyright

DOMAIN 1 – INFORMATION SYSTEMS AUDITING PROCESS

DOMAIN 2 – GOVERNANCE & MANAGEMENT OF IT

DOMAIN 3 – INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT & IMPLEMENTATION

DOMAIN 4 – INFORMATION SYSTEMS OPERATIONS & BUSINESS RESILIENCE

DOMAIN 5 – PROTECTION OF INFORMATION ASSETS

Secondary Classifications – Tasks

About Author

DOMAIN 1 – INFORMATION SYSTEMS AUDITING PROCESS

Introduction: The Financial Bedrock of an IS Audit

In my years in the assurance and risk advisory field, I've seen a consistent, costly mistake. Organizations treat the Information Systems (IS) audit as a technical IT checklist. They see it as a "server room" problem. This is a fundamental, and often financially devastating, misunderstanding.

The IS audit, particularly its planning phase, is not an IT function; it is a critical business and financial governance function.

Every single transaction, every financial report, every strategic decision in a modern enterprise is underpinned by data and systems. The planning domain is where we, as auditors, affirm our credibility. It's where we build the business case for why we are looking at certain systems and not others. We are not just protecting data; we are providing assurance over the very integrity of the financial statements and the mechanisms that protect shareholder value.

This isn't about finding "gotchas." This is about providing credible conclusions on risk, control, and security solutions that the Board of Directors, the Audit Committee, and external regulators can bank on. Getting the planning phase wrong is like building a skyscraper on a faulty foundation. It’s not a matter of if it will fail, but when—and the cleanup is always exponentially more expensive than getting it right the first time.

A.1: IS Audit Standards, Guidelines, and Codes of Ethics

When we walk into an organization to conduct an audit, we don't just show up with a laptop and a hunch. Our entire practice is built on a foundation of globally accepted professional standards. This isn't optional. This is the source of our authority and the guarantee of our quality. For our profession, the primary authority is ISACA (Information Systems Audit and Control Association) and its Information Technology Assurance Framework (ITAF).

These standards are the "mandatory rules of the game." They are non-negotiable. Think of them as the Generally Accepted Auditing Standards (GAAS) that our colleagues in financial audit (like CPAs) live by. The most critical standard, in my view, is the one concerning independence. We must be independent in both fact and appearance. If my team helped implement the new SAP general ledger system, we are ethically barred from auditing it for a period. To do so would be a severe conflict of interest, and any "assurance" we provide would be worthless. This is the same principle that prevents a company's CFO from also being its external auditor.

Alongside the mandatory standards, we have guidelines. These are the "how-to" manuals. They provide best practices for applying the standards. For example, a standard might require us to gather "sufficient and appropriate" evidence. A guideline will provide examples of what that means in practice, such as sampling techniques, interview methods, or how to document a system walkthrough. While we can deviate from guidelines, we must have a very compelling, documented reason for doing so.

Finally, and most importantly, we have the Code of Professional Ethics. This is our moral compass. It's the oath we take. It binds us to:

Independence and Objectivity: We must be impartial. Our findings must be based on evidence, period. We can't soften a high-risk finding because we're friends with the CIO or because we're afraid it might impact a bonus.

Due Professional Care: This is the "be thorough" clause. We must be diligent, skeptical, and meticulous. We can't just check a box; we must actually test the control.

Competence: We must not take on work we aren't qualified for. If a client has a complex, custom-built mainframe environment and my expertise is in cloud-based Windows servers, I am ethically bound to either gain that competence or bring in an expert who has it.

Confidentiality: We will see the "crown jewels" of the organization—sensitive financial data, strategic plans, and intellectual property. Disclosing this information is a cardinal sin.

The financial tune here is direct: a breach of these ethics isn't just an internal HR matter; it's a catastrophic financial event. If an external auditor or a regulator (like the SEC or a banking authority) discovers that our internal IS audit team lacked independence or competence, they will invalidate all our work. This could mean the external auditor refuses to sign off on the company's 10-K, triggering a stock price collapse and shareholder lawsuits. Our adherence to these standards is the bedrock of market confidence.

A.2: Types of Audits, Assessments, and Reviews

Part of the planning process is defining exactly what kind of engagement we are performing. These terms are often used interchangeably by management, but for us, they have very specific, legally distinct meanings. Choosing the wrong engagement type is like using a hammer to fix a watch.

1. Audits (Formal Engagements)

This is the most formal and rigorous activity. An audit is a systematic, evidence-gathering process that culminates in a formal, independent opinion. We are stating our professional judgment on whether a system's controls are designed effectively and operating as intended.

Finance-Based Example: The classic is the Sarbanes-Oxley (SOX) IT General Controls (ITGC) Audit. We are not just looking at "IT stuff." We are testing the specific controls (like logical access and change management) over the specific systems (like Oracle Financials or the AS/400 mainframe) that process transactions and feed into the company's financial statements. Our opinion is directly relied upon by the company's external financial auditors (like Deloitte, PwC, etc.) to support their opinion on the financial statements. A failed ITGC audit can lead to a finding of "Material Weakness" in internal controls, which is a major red flag to investors.

2. Assessments

An assessment is typically a gap analysis. It's less about a binary "pass/fail" opinion and more about measuring a system or process against a specific framework to determine its maturity. The deliverable isn't an "opinion" but a report showing "Here is where you are, here is where the standard says you should be, and here are the 15 gaps you need to close."

Finance-Based Example: A PCI-DSS (Payment Card Industry Data Security Standard) Readiness Assessment. A retail company wants to launch a new e-commerce platform. Before they go live and risk massive fines for non-compliance, they hire us to assess their planned environment against the 12 PCI requirements. We provide a detailed report of gaps (e.g., "You are not encrypting cardholder data at rest") so they can remediate before the formal, and very expensive, PCI QSA (Qualified Security Assessor) audit. This is a proactive, cost-saving engagement.

3. Reviews

A review is a "lighter touch" engagement. It involves inquiry and analysis but typically doesn't involve the same depth of technical, evidence-based testing as a full audit. It provides "limited assurance" rather than a full "opinion."

Finance-Based Example: A Post-Implementation Review of a New Wire Transfer Module. The treasury department just spent $5 million on a new system. Two months after go-live, the Audit Director asks us to perform a review. We'll interview the project team, review project documentation, and check if the key controls (like dual-approval for transfers over $1 million) were built as specified. We're not doing a full-blown penetration test, but we are providing management with quick, valuable feedback on whether the project delivered what it promised and if the immediate risks are being managed.

Each of these serves a distinct business and financial purpose. The planning phase is where we must get written, formal agreement in our Audit Charter on which service we are delivering, as the scope, timeline, and level of assurance are all drastically different.

A.3: Risk-Based Audit Planning

This is, without question, the most critical part of the entire planning process. This is where we separate the "wheat from the chaff." In my fieldwork, I've seen audit departments that fail here; they audit the same things every year, regardless of changes in the business. They are "checking boxes," not managing risk.

A modern IS audit department cannot, and should not, audit everything. We have limited resources—time, budget, and skilled people. We must apply those resources to the areas that pose the greatest risk to the organization. This is the risk-based approach.

The process is logical and defensible:

1. Understand the Enterprise: We don't start by looking at a list of servers. We start in the boardroom. We read the 10-K, the annual report, and the strategic plan. We interview senior executives. We ask: "How does this company make money? What are our crown jewel assets? What keeps you up at night?" For a bank, the answer is the core deposit system and the wire transfer platform. For a pharmaceutical company, it's the R&D intellectual property.

2. Build the Audit Universe: We create a comprehensive inventory of all auditable IT processes, systems, and assets. This includes everything from the SAP S/4HANA environment to the third-party payroll provider, to the change management process itself.

3. Perform a Risk Assessment: This is the heart of the matter. We take that universe and, in collaboration with management, we rank each item based on risk. Risk is a function of Impact (What's the financial or reputational cost if this breaks?) and Likelihood (What's the probability of it breaking?).

Impact: This is a financial calculation. A failure of the cafeteria's point-of-sale system has a low financial impact. A failure of the Accounts Payable system, allowing for $10 million in fraudulent vendor payments, has a catastrophic financial impact.

Likelihood: This is based on factors like system complexity, age, past audit findings, and the threat environment. A brand new, complex system that's constantly changing is much more likely to have control failures than a 20-year-old legacy system that is stable and well-understood.

4. Develop the Annual Audit Plan: The output of this risk assessment is a prioritized list. The items at the top—the high-impact, high-likelihood ones—form our mandatory annual audit plan.

Finance-Based Example: Our risk assessment identifies the "New Vendor Creation" process in the A/P system as a top risk. A threat (a fraudster) could exploit a vulnerability (a lack of segregation of duties) to create a fake vendor and pay them. The financial impact is immediate and material. This process goes to the top of our audit plan and will receive a full-scope audit every single year. Conversely, the HR department's training portal is identified as low-risk. It might only get a light review once every three years.

This risk-based plan is our single most important document. We present it to the Audit Committee of the Board of Directors. It is our justification for our budget and our mandate for the year. It ensures we are not wasting time auditing low-risk "noise" and are instead focused squarely on protecting the financial and strategic assets of the firm.

A.4: Types of Controls and Considerations

Once our plan is set and we know what we're auditing, the final stage of planning is to understand what we're looking for. We are looking for controls. Controls are the policies, procedures, and technical mechanisms put in place by management to mitigate risk.

In my experience, this is where many junior auditors get lost in the technical weeds. You must be able to categorize controls to understand their purpose. There are two primary ways we slice this: by function (ITGC vs. App) and by timing (Preventive, Detective, Corrective).

1. Categorization by Function (The "Where")

IT General Controls (ITGCs): These are the foundational, "umbrella" controls that apply to the entire IT environment. If your ITGCs are weak, you cannot trust any of the applications running in that environment.

Logical Access: Who can log in? What can they do? This includes password policies, user account provisioning, and, critically, Segregation of Duties (SoD). Financial Example: The person who can create a new vendor in the A/P system must not be the same person who can approve a payment to that vendor. That's a classic ITGC access control.

Change Management: How is new code or a system patch moved from development to testing to production? A strong process ensures that all changes are authorized, tested, and documented. Financial Example: This control prevents a single developer from pushing code that "rounds" fractions of pennies from millions of transactions into their personal bank account—a classic fraud.

Program Operations: Are systems running as intended? Are backups completed and tested? Is antivirus up to date?

Application Controls: These are specific controls built into the software to ensure data is processed completely, accurately, and validly.

Input Controls: "Garbage in, garbage out." These controls check data before it's processed. Financial Example: A wire transfer input field that rejects any entry containing letters or a dollar amount over the user's pre-approved limit.

Processing Controls: These check data during processing. Financial Example: The famous 3-Way Match. In an A/P system, the software will not schedule a payment until the Purchase Order (what we ordered), the Receiving Report (what we got), and the Invoice (what we were billed for) all match.

Output Controls: These verify the results. Financial Example: A daily reconciliation report that flags any discrepancy between the sub-ledger (e.g., Accounts Receivable) and the General Ledger.

2. Categorization by Timing (The "When")

Preventive Controls: These are the strongest. They stop the bad thing from happening. A password, a firewall rule, and the 3-Way Match are all preventive. They are the first line of defense.

Detective Controls: These are the second line. They identify the bad thing after it has happened. A system log that records failed login attempts, or an exception report of all wire transfers over $100,000, are detective. They are useless unless someone is actively reviewing them.

Corrective Controls: These are the final line. They help you recover from the bad thing. The most critical corrective control is a well-tested disaster recovery and data backup plan.

As auditors, we are looking for a healthy mix of all these. Our "lived experience" shows that relying only on detective controls is a failing strategy. You're just counting the money after it's already left the building. A robust control environment, which is the ultimate goal of our audit, leans heavily on preventive and automated controls, backed up by diligent detective and corrective measures. This is the only way to provide true, credible assurance over the information systems that drive the modern financial enterprise.

A Deep Dive into the IS Audit Execution Process

The "Execution" phase of an Information Systems (IS) audit is where planning meets practice. This is where theory stops and the real investigative work begins. It’s the engine room of the audit. You've done the risk assessment, you've outlined your plan, and now your team is on the ground, engaging with the business, and digging into the systems.

How this phase is managed separates a high-value, respected audit function from a simple "check-the-box" compliance team. In the financial world, the stakes are binary: you are either providing real assurance that regulators and the board can rely on, or you are not. There is no middle ground.

Let's walk through the critical components of this phase, one by one.

1. Audit Project Management

In my experience, the most technically brilliant auditor can fail if they are a poor project manager. An IS audit is a project. It has a defined scope, a fixed timeline, and a limited budget of hours. Managing it as anything less is the first step toward failure.

Project management in an audit context is a delicate balancing act. On one side, you have your audit standards and your objective. On the other, you have a living, breathing business that doesn't stop just because you're auditing it. Your primary job is to manage the "iron triangle": scope, time, and resources.

Scope is the most dangerous variable. We call it "scope creep." You may be testing a bank's wire transfer application, and a manager mentions they also have a new crypto-trading module they're "beta testing." It sounds interesting, but is it in your scope? If you chase it, you'll burn hours you don't have. A strong project manager recognizes this, documents it, and assesses its risk. If the risk is high, you don't just "add it." You formally escalate to the audit committee, request the scope be officially changed, and allocate the necessary resources.

We use tools just like any IT project. Gantt charts map out our timeline. Kanban boards can help us track the status of evidence requests—"To Do," "Requested," "Received," "In Review." We hold weekly "scrum" or "sprint" meetings with the audit team to discuss roadblocks. Is IT not giving us the server logs we asked for? That's a project management issue. It needs to be escalated immediately, not a week later when the timeline is already broken.

For example, on a recent engagement, we were auditing a loan origination system. Our database expert (a key resource) was scheduled for week two. But the business informed us the key database administrator (DBA) was going on vacation that week. The audit project manager immediately re-shuffled the plan, moving up interviews and policy reviews to week two and pushing the technical database testing to week three. This seems simple, but without that active management, the team would have sat idle for a week, and the entire audit would have been delayed, reflecting poorly on our department.

2. Audit Testing and Sampling Methodology

This is the core "how-to" of our work. We cannot, and should not, test 100% of everything. It's not feasible to review all ten million transactions that a financial exchange processed yesterday. So, we must develop an intelligent, defensible method for testing. This breaks down into two main areas: the type of test and the method of selection.

First, you have compliance testing. This asks, "Does the control exist and is it being used?" For example, does the system require a password change every 90 days? We test this by inspecting the system's configuration. It's often a "yes" or "no" answer.

Second, you have substantive testing. This asks, "Is the data accurate and correct?" For example, the system has a control to calculate loan interest (compliance), but is it calculating the interest correctly? To test this, we would recalculate the interest for a sample of loans and compare our result to the system's.

To select that sample, we have two primary methodologies. The first is non-statistical sampling, often called "judgmental sampling." This is where I use my professional experience to pick items I believe are high-risk. I am not trying to make a statement about the whole population. For instance, I might decide to test all wire transfers over $5 million. Or I might test all new user accounts created by one specific IT admin who seems to have too many permissions. It's targeted and based on risk.

The second, and more powerful, method is statistical sampling. This is where we use mathematics to select a random sample that is representative of the entire population. This allows us to say, "We are 95% confident that the error rate for all transactions is no more than 2%." In the financial world, this is critical. Regulators love this approach because it's objective and defensible. We can use software to generate random attribute samples or monetary unit samples.

A real-world example: We were auditing access controls at an asset management firm. We used judgmental sampling to test 100% of the "super-user" accounts. We then used statistical sampling to select 120 regular employees from the entire population of 3,000. This combination gave us both deep coverage on the highest-risk items and broad, statistically valid coverage across the entire organization.

3. Audit Evidence Collection Techniques

An audit finding is just an opinion until it is backed by evidence. Your entire report, your recommendations, and your professional credibility rest on the quality of the evidence you collect. That evidence must meet three criteria: it must be sufficient (is there enough of it?), reliable (can I trust it?), and relevant (does it actually relate to my audit objective?).

We have a hierarchy of collection techniques, from least to most reliable.

Inquiry: This is simply asking questions. "Do you approve all access requests before they are granted?" A manager will almost always say "yes." It's a good starting point, but it is the weakest form of evidence because it's unverified.

Observation: This is watching someone perform a task. I might sit with a data center operator and watch them perform the nightly server backup procedure. This is better than inquiry, but it has a flaw: people often perform a task perfectly when the auditor is watching.

Inspection (or Examination): This is where we get our hands on the "proof." If a manager says they approve all access, I say, "Please provide me with the 50 most recent access request tickets and their corresponding, time-stamped approvals." This is strong evidence. This also includes inspecting system configuration files, firewall rulesets, and server logs.

Re-performance: This is the gold standard of evidence. I don't just watch you do the calculation; I take the raw data and perform the calculation myself. For a financial reconciliation, I would independently pull the data from the general ledger and the sub-ledger and perform the reconciliation myself. If my numbers match the finance team's numbers, I have collected the strongest possible evidence that the control is effective.

During an audit of a bank's change management process, the IT team inquired that all code changes are tested before promotion to production. We then inspected the change tickets and saw they all had a "QA Tested" box checked. That's good, but not great. We then took one specific code change, went into the test environment, and re-performed the exact test script ourselves. This confirmed the test was valid and the control was truly effective.

4. Audit Data Analytics

This has fundamentally changed the profession. For decades, auditing was almost entirely based on sampling. We accepted that we could only look at a tiny fraction of the data. Data analytics allows us to move from sampling to testing 100% of the population.

Instead of asking, "Let's check 50 journal entries," I can now say, "Give me all 10 million journal entries for the entire year." In my experience, the insights we can pull from this are staggering. We use specialized tools (like ACL, IDEA, or even custom Python/SQL scripts) to run tests that would be impossible manually.

What can we find?

Anomaly Detection: We can find outliers instantly. "Show me all expense claims approved at 3:00 AM on a Sunday." "Show me all payments made to a vendor on a national holiday." These aren't necessarily fraud, but they are high-risk anomalies that need to be investigated.

Pattern and Trend Analysis: We can join different data sets. "Cross-reference the employee payroll file with the vendor master file. Do any employees share a bank account or address with a vendor?" This is a classic fraud detection test.

Benford's Law: This is a fascinating mathematical principle. It states that in many naturally occurring datasets (like financial transactions), the number "1" will appear as the first digit about 30% of the time, "2" about 17% of the time, and so on. Numbers in a fraudulent, made-up dataset often don't follow this pattern. If we run this test on an expense report file and the number "9" is the most common first digit, that is a massive red flag.

A recent example: At an insurance firm, we analyzed 100% of the claims paid for the year. We ran an analysis to find claims that were submitted, approved by a claims adjuster, and paid out, all within 60 seconds. A human cannot do that. We found a small cluster of these, which led us to an automated "bot" that was approving fraudulent claims. Sampling would have never found this.

5. Reporting and Communication Techniques

I have seen technically masterful audits fail completely at this final hurdle. If you cannot communicate your findings in a way that management understands and is compelled to act upon, you have wasted your time.

A brilliant technical finding buried in a 100-page, jargon-filled report will be ignored. Communication is an art, and it must be continuous. The worst thing you can do is be a "submarine" auditor—disappear for six weeks and then surface with a "gotcha" report full of findings.

We practice a "no surprises" policy. We communicate our findings in real-time. We hold weekly status meetings with IT and business management. When we identify a potential issue, we write it up and immediately send it to the process owner for validation. This ensures we haven't misunderstood anything and gives them a chance to correct it before the final report.

When we write a formal finding for the report, we use a framework often called the "5 C's":

Criteria: What should be happening? (e.g., "The company's security policy requires all critical servers to be patched within 30 days.")

Condition: What is actually happening? (e.g., "We found that 10 critical servers supporting the trading platform have not been patched in 90 days.")

Cause: Why did the difference happen? (e.g., "This occurred because the servers were improperly tagged in the asset inventory system, so they were missed by the automated patch-management tool.")

Consequence: What is the "so what?" This is the most important part, especially for finance. What is the risk or financial impact? (e.g., "As a result, these servers are vulnerable to known exploits, which could lead to a system compromise, trading stoppage, and potential regulatory fines estimated at over $1M per day.")

Corrective Action (or Recommendation): What must be done to fix it? (e.g., "We recommend these servers be patched immediately and the asset inventory be corrected within five business days.")

This structure transforms a technical complaint into an actionable business risk, which is exactly what the board and senior management need to see.

6. Quality Assurance and Improvement of Audit Process

Finally, we must audit ourselves. Our stakeholders—the audit committee, executive management, and external regulators—rely on our work. If our own processes are sloppy, our conclusions are worthless, and we lose all credibility.

A mature audit department has a robust Quality Assurance and Improvement Program (QAIP). This isn't just a suggestion; it is a requirement under the standards from the Institute of Internal Auditors (IIA).

This program has two parts. First, there are internal assessments. This includes "hot reviews," where an audit manager or director reviews the audit team's workpapers before the audit is finalized and the report is issued. They check that the evidence is sufficient, the conclusions are logical, and the findings are well-written. It also includes "cold reviews," where, months later, a separate team reviews the entire completed audit file to ensure it met all departmental standards.