@ISACA Volume 8  22 April 2015

Eight Types of Audit Evidence

By Leighton Johnson, CISA, CISM, CIFI, CISSP

Evidence found through testing, evaluating and auditing is often critical to organizational executives making risk-based decisions concerning the operation of the system under review. Auditors obtain the required evidence during the audit process to allow the appropriate organizational officials to make objective determinations about the effectiveness of their security and privacy controls and the overall security and privacy state of the information system.

Auditors obtain such evidence from tests that determine how well security controls work (i.e., compliance tests) and tests of confidentiality, integrity and availability details, such as the completeness and disclosure of information (i.e., substantive tests).

The results of substantive testing include existence, rights and obligations, occurrence, completeness, valuation, measurement, presentation, and disclosure of a particular transaction of security control in action. There are many mechanisms by which auditors can gain the appropriate evidence for evaluation.

  1. Physical examination/inspection—Inspection involves examining records or documents, whether internal or external, in paper form, electronic form or other media, or physically examining an asset. Inspection of records and documents provides audit evidence of varying degrees of reliability, depending on their nature and source and, in the case of internal records and documents, on the effectiveness of the controls over their production.
  2. Confirmation—The auditor has an organizational request that the third party respond directly to the auditor. Confirmation, by definition, is the receipt of a written or oral response from an independent third-party verifying information requested by the auditor. Confirmation is often viewed as audit evidence that is from an external independent source and is considered to be more credible than evidence from an internal source. Most financial auditors confirm balances (e.g., creditor’s balances and debtor’s balances) by sending out confirmation letters to external independent sources such as banks and vendors.
  3. Documentation—Documentation consists of the organization's business documents used to support security and accounting events. The strength of documentation is that it is prevalent and available at a low cost. Documents can be internal or externally generated. Internal documents provide less reliable evidence than external ones, particularly if the client's internal control is suspect. Documents that are external should be prepared by qualified individuals such as attorneys or insurance brokers and provide additional reliability. The use of documentation in support of a client's transactions is called vouching.
  4. Analytical procedures—Analytical procedures consist of evaluations of financial information made by a study of plausible relationships among financial and nonfinancial data. Analytical procedures also encompass the investigation of significant differences from expected amounts. Recalculation consists of checking the mathematical accuracy of documents or records. Recalculation may be performed manually or electronically. Analytical procedures are comparisons of account balances and relationships as a check on reasonableness.
  5. Interviews of the users/developers/customers—Interviewing users, key personnel, system owners and other relevant personnel is often used as a starting point to determine the proper use and implementation of controls. Typically, interviews are conducted with users and leaders such as agency heads, chief information officers, senior agency information security officers and authorizing officials, individually or in groups, to facilitate auditor understanding, achieve clarification or obtain evidence.
  6. Reuse of previous work—The acceptability of using previous audit results in a security control audit or privacy control audit is coordinated with and approved by the users of the audit results. It is essential that information systems owners and common control providers collaborate with authorizing officials and other appropriate organizational officials in determining the acceptability of using previous audit results.
  7. Automatic test results—Scanners, integrity checkers and automated test environments are all examples of automated outputs that are used by auditors. Scanning reviews typically involve searching for large or unusual items to detect error in the results from the scans. For example, if there is a maximum or minimum loan amount, one can scan through the loan book for amounts outside the stated range. Configuration compliance checkers perform a process of reviewing system configuration and user account details through the use of manual or utility tools/scripts.
  8. Observation—Observation can provide audit evidence about the performance of a process or procedure, but the evidence is limited to the point in time at which the observation takes place and also is limited by the fact that the act of being observed may affect how the process or procedure is performed.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security & Forensics Management Team of Bath, South Carolina, USA.


Get Creative With Your Risk Management Policy


In many organizations, creativity is discouraged when it comes to risk management. As technology develops rapidly, so should approaches to risk management. Innovative risk management policies can increase the quality, efficiency and accuracy of risk management practices. To help organizations better embrace creative approaches to risk management, ISACA and Cappella University have partnered to bring you the “Innovative Risk & Digital Business Frameworks” webinar. This webinar will take place on 23 April at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.

Bhavesh C. Bhagat, CISM, CGEIT, cofounder of Confident Governance and chairman at EnCrisp LLC, will lead the webinar. Bhagat will discuss practical ways of applying creative and agile techniques to your risk management program. He will also provide real-life examples of creative solutions that have been used to add enterprise value.

To register for the webinar or to learn more about it, visit the Innovative Risk & Digital Business Frameworks page of the ISACA web site.


Creating Successful Habits


Setting goals can help you develop your ideal career. Set monthly, quarterly or biannual goals to enhance your expertise, build your network and gain new skills.

Now is the time to strengthen the habit of using your ISACA membership as a tool to achieve these professional goals. Your ISACA membership includes a wealth of knowledge and tools to help you succeed.

Consider, for example, setting a monthly reminder on your calendar to review ISACA’s latest research publications. By setting a monthly reminder on your calendar, you will establish the habit of working toward your professional goals and build your professional expertise by incorporating reading ISACA’s latest research into your monthly routine. The key to successful habits begins with mastering one small change at a time.

Start creating successful habits now. Become the professional you were meant to be. Ensure you have uninterrupted access to ISACA resources. Renew your membership or become a member today.


Ballots for Bylaws Vote to Be Distributed 27 April


The ISACA Governance Advisory Council, at the request of the Board of Directors and with the assistance of ISACA staff and legal counsel, undertook a comprehensive review of ISACA’s bylaws. This review provided the basis for a full refresh of the bylaws to align to best practices and include applicable laws.

The revised bylaws draft, which will be offered for ISACA membership adoption, was approved unanimously by the ISACA Board of Directors at their 28 February 2015 meeting in Mumbai, India.

ISACA members will have the opportunity to vote to approve the new bylaws beginning 27 April at 9AM CDT (UTC -5 hours) until 6 June at 1AM CDT (UTC -5 hours). Votes can be cast by electronic ballot or by voting in person at the ISACA annual membership meeting at the Steigenberger Grandhotel, 71 Avenue Louise, 1050 in Brussels, Belgium, at 8 to 9AM CEST.

If for any reason you are not able to vote electronically, ISACA will provide a paper ballot. The deadline to request a paper ballot is 15 May. To request a paper ballot, please contact bylaws@isaca.org.

ISACA’s current bylaws state the quorum requirement as follows: “Votes represented either in person or by written ballot shall constitute a quorum.” The threshold for approval of any question is “a majority vote of those present in person or by written ballot.” Only one vote per ISACA member is allowed.

For more information on the bylaws vote, visit the Bylaws and Articles of Incorporation page of the ISACA web site. Questions? Contact bylaws@isaca.org.


Have You Renewed Your Certifications for 2015?


Certification renewals for 2015 are now open. Completing your certification renewal is a 2-step process and requires payment of the 2015 certification annual maintenance fee and reporting of the required number of continuing professional education (CPE) hours earned in 2014. Certification maintenance fees can be paid safely and securely on the Renew page of the ISACA web site. Your 2014 CPE hours can be reported on the MyCertifications page of your ISACA profile. Please remember that all ISACA certification CPE policies require earning 20 CPE hours annually and 120 CPE hours over a 3-year cycle.

When you log into the MyCertifications page, the dashboard display provides you with an overview of your certification status, including what is needed to complete your 2015 renewal.

If you have not yet added all of your 2014 CPE hours, there is still time to do so. While on the MyCertifications page, click on Manage My CPE > Add CPE button and follow the prompts for adding CPE. If you are unsure if a particular activity qualifies, pages 4 and 5 of the CPE policy define the qualifying activities for CPE. Please make note of the activities that have yearly limits.

CPE policies can be viewed on the Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) CPE policy pages of the ISACA web site. Questions? Contact certification@isaca.org.


Book Review:  Information Technology Control & Audit, 4th Edition

Reviewed by Maria Patricia Prandini, CISA, CRISC

Information Technology Control & Audit, 4th Edition offers a comprehensive and up-to-date perspective of how controls can serve a successful IT governance and management program and what is needed to accomplish a well-done audit.

With a vast scope, this book explores the audit and control perspective of new technologies such as cloud computing, virtual applications and enterprise resource planning (ERP) solutions, with regard for the very basics of IT controls and audit.

This book begins by covering the importance of IT controls and audits and the legal environment’s impact on IT. It then discusses IT planning and organization, IT acquisition and implementation and IT project management. This 4th edition also covers IT delivery and support and provides ways for readers to handle service management, operations and systems. It concludes by discussing emerging topics and analyzes recent advances (e.g., ERP, cloud computing, web-based applications), all of which impact IT controls and audits.

The book is comprehensive and easy to read, even though the subject is complex and sometimes challenging. Authors Sandra Senft, Frederick Gallegos and Aleksandra Davis do a good job going from the basics of IT audit and controls to up-to-date perspectives of new technologies from the auditor’s point of view. Practical exercises are provided in addition to audit programs and cases, making this book a valuable tool for every professional interested in learning more about the subject. Academics could also benefit from this publication, because it offers very thorough coverage of the field of IT audit and controls.

Aligned with COBIT and mapped to the Certified Information Systems Auditor (CISA) Review Manual, the book could also assist in preparing for the CISA exam and the Certified in the Governance of Enterprise IT (CGEIT) exam.

Information Technology Control & Audit, 4th Edition is available from the ISACA Bookstore. For information, visit the ISACA Bookstore online or email bookstore@isaca.org.

Maria Patricia Prandini, CISA, CRISC, has a long career as a public official in different positions related to information technology at the Argentine Government. Prandini was involved in the development of the National PKI and the foundation of ARCERT, the first governmental computer security incident response team (CSIRT) in Argentina. She is the immediate past president of the ISACA Buenos Aires Chapter.