CISA Refresher 6 Flashcards Preview

CISA Stuff > CISA Refresher 6 > Flashcards

Flashcards in CISA Refresher 6 Deck (500)
Loading flashcards...

Audit Charter

document that states management's objectives for and delegation of authority to IS audit. Should be approved at the highest levels of management, and should outline the overall authority scope, and responsibilities of the audit function. Should not significantly change over time.


Engagement Letter

a letter that formalizes the contract between the auditor and the client and outlines the responsibilities of both parties; focused on a particular audit exercise that is sought to be initiated in an organization with a specific objective in mind


Audit Plan

A list of the audit procedures the auditors need to perform to gather sufficient appropriate evidence on which to base their opinion on the financial statements; consists of both short-term and long-term planning


Sarbanes-Oxley Act of 2002

Law that requires companies to maintain adequate systems of internal control


Professional Independence

In all matters related to the audit, the IS auditor should be independent of the auditee in both attitude and appearance


Organizational Independence

The IS audit function should be independent of the area or activity being reviewed to permit objective completion of the audit assignment


Audit Risk

the risk that information may contain a material error that may go undetected during the course of the audit


Error Risk

the risk of errors occurring in the area being audited


Information Technology Assurance Framework (ITAF)

provides an integrated process (involving technical and non-technical aspects) for developing and deploying IT systems with intrinsic and appropriate security measures in order to meet the organizations mission


General standards

standards that establish the guiding principles under which the IT assurance profession operates; they apply to the conduct of all assignments, and deal with the IT audit and assurance professional's ethics, independence, objectivity and due care, as well as knowledge, competency and skill


Performance standards

standards that establish baseline expectations in the conduct of IT assurance engagements; focused on the design of the assurance work, the conduct of the assurance, the evidence required, and the development of assurance and audit findings and conclusions


Reporting standards

standards that address the types of audit reports, means of communication, and information to be communicated at the conclusion of an audit


Risk analysis

part of audit planning, and helps identify risks and vulnerabilities so the IS auditor can determine the controls needed to mitigate those risks



the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization; the combination of the probability of an event and its consequence


Business Risk

a risk that may negatively impact the assets, processes or objectives of a specific business or organization


IT Risk

the risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise


Risk Assessment Process

1. Identify Business Objectives


Internal controls

normally composed of policies, procedures, practices and organizational structures which are implemented to reduce risk to the organization; developed to provide reasonable assurance to management that the organization's business objectives will be achieved and risk events will be prevented, or detected and corrected


Preventive controls

Controls that deter control problems before they occur


Detective controls

Controls that discover problems as soon as they arise


Corrective controls

Controls that remedy control problems that have been discovered


Control objectives

statements of the desired result or purpose to be achieved by implementing control activities (procedures)


IS Control objectives

provide a complete set of high-level requirements to be considered by management for effective control of each IT process



a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT; helps enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use


COBIT 5 Principles

1. Meeting stakeholder needs



include policies, procedures and practices established by management to provide reasonable assurance that specific objectives will be achieved


Compliance Audit

an audit that includes specific tests of controls to demonstrate adherence to specific regulator or industry standards


Financial Audit

an audit that assesses the accuracy of financial reporting


Operational Audit

an audit designed to evaluate the internal control structure in a given process or area


Integrated Audit

an audit that combines financial and operational audit steps