CISA REVIEW The material provided in this slide show came directly from Certified Information - PowerPoint Presentation

Slide1

CISA REVIEW

The material provided in this slide show came directly from Certified Information Systems Auditor (CISA) Review Material 2010 by ISACA.

Slide2

CISA REVIEW

Chapter 1 – Learning Objectives

Develop and implement a risk-based IS audit strategy for the organization in compliance with IS audit standards, guidelines and best practices.

Plan specific audits to ensure IT and business systems are protected and controlled.

Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives.

Communicate emerging issues, potential risks and audit results to key stakeholders.

Advise on the implementation of risk management and control practices within the organization, while maintaining independence.

Slide3

CISA REVIEW

Chapter 1 – The IS Audit Process

IS Audit is defined as:

collect and evaluate evidence to determine whether the information systems and related resources adequately safeguard assets,

maintain data and system integrity,

provide relevant and reliable information,

achieve organizational goals effectively, and

consume resources efficiently.

Slide4

CISA REVIEW

Chapter 1 – The IS Audit Process

An IS Audit is intended to:

assesses whether internal controls provide reasonable assurance that business, operational and control objectives will be met, and

that undesired events will be prevented, or detected and corrected, in a timely manner.

Slide5

CISA REVIEW

Chapter 1 – The IS Audit Process

IS auditors are expected to comply with a code of professional ethics, and to conduct their work in accordance with specific standards, guidelines, and procedures.

You will not be tested on the precise text of the various standards, guidelines and procedures. Rather, the exam will focus on your understanding of them and how they are applied in specific situations.

Slide6

CISA REVIEW

Chapter 1 – The Audit Charter

An audit charter establishes the role of the IS audit function

.

An IS audit can be integrated within the financial or operation audit, or it can be part of an internal audit.

The charter should include:

A clear statement of management's responsibility and objectives for the audit function

Management's delegation of authority to the audit function

The overall authority, scope and responsibilities of the audit function

The reporting lines and relationships

Slide7

CISA REVIEW

Chapter 1 – The Audit Charter

A definition of the organizational independence of the internal audit, including accountability of the audit and provision for objective assessment of its resource requirements

A recognition of the control environment of the organization (operations, resources, services, responsibilities to external entities)

The internal audit's right of access to all records, assets, personnel and premises, including those of partner organizations

The internal audit's authority to obtain the information and explanations it considers necessary to fulfill its responsibilities

The charter should be approved at the highest management level and by the audit committee if available.

Once the charter has been established, any changes must be thoroughly justified.

Slide8

CISA REVIEW

Chapter 1 – Audit Objectives

Audit objectives refer to the specific goals of the audit. These objectives often are centered on substantiating that internal controls are functioning to minimize business risk. The audit objectives, then, need to be translated into specific IS audit objectives.

For example, for a financial audit, an internal control is designed to ensure transactions are posted correctly to the general ledger. The audit objective is to determine whether this control is performing as intended. The corresponding IS audit objective might be to make sure that editing features are in place to detect errors in the transaction coding that may affect the posting of the transactions.

Slide9

CISA REVIEW

Chapter 1 – Audit Documentation

In addition to the audit plan, the documentation for an IS audit includes:

A description or diagram of the IS environment

Audit programs

Minutes of meetings

Audit evidence

Findings

Conclusions and recommendations

Any report issued as a result of the audit work

Supervisory review comments, if any

Slide10

CISA REVIEW

Chapter 1 – Audit Documentation, cont.

At a minimum, documentation should include a record of the:

Planning and preparation of the audit scope

and objectives

Description and/or walkthroughs on the scoped audit area

Audit program

Audit steps performed and audit evidence gathered

Use of services of other auditors and experts

Audit findings, conclusions and recommendations

The documentation should also include evidence of supervisory review and the report that was issued as a result of the audit work.

Also necessary is any audit information required by contractual stipulations, regulations, laws and professional standards.

Slide11

CISA REVIEW

Chapter 1 – IT Audit Program

An effectively planned and developed IT audit program should:

Identify areas of greatest IT risk exposure to the organization.

Promote the confidentiality, integrity and availability of information systems.

Determine the effectiveness of management's planning and oversight of IT activities.

Evaluate the adequacy of operating processes and internal controls.

Determine the adequacy of enterprise-wide compliance efforts related to IT policies and internal control procedures.

Recommend appropriate corrective action to address deficient internal controls.

Follow-up with management to ensure that recommended corrective actions have been effectively implemented.

Slide12

CISA REVIEW

Chapter 1 – Enterprise Risk Management

The initial steps of risk management include:

analyzing the value of assets to the business,

identifying threats to those assets, and

evaluating how vulnerable each asset is to those threats.

Slide13

CISA REVIEW

Chapter 1 – Enterprise Risk Management

An effective risk-based auditing program should cover all of an organization's major activities. The frequency and depth of each area's audit will vary according to the risk assessment of that area.

Risk-based IT audit programs should:

Identify the organization's data, application and operating systems, technology, facilities, and personnel.

Identify the business activities and processes within each of those categories.

Include profiles of significant business units, departments, and product lines or systems, and their associated business risks and control features, resulting in a document describing the structure of risk and controls throughout the organization.

Use a measurement or scoring system that ranks and evaluates business and control risks for significant business units, departments and products.

Slide14

CISA REVIEW

Chapter 1 – Enterprise Risk Management, cont.

Risk-based IT audit programs should also:

Include board or audit committee approval of risk assessments and annual risk-based audit plans that establish audit schedules, audit cycles, work program scope and resource allocation for each area audited,

Implement the audit plan through planning, execution, reporting and follow-up,

Include a process that regularly monitors the risk assessment and updates it at least annually for all significant business units, departments, and products or systems.

Slide15

CISA REVIEW

Chapter 1 – Testing Procedures for IS Controls

It is management's responsibility to establish and maintain IT controls that meet internal control objectives. When well-designed, these controls can both deter fraud and enable its early detection.

Planning for appropriate audit tests requires that the IS auditor have an understanding of the procedures for testing and evaluating IS controls. These may include:

Use of generalized audit software to survey the contents of data files (including system logs)

Use of specialized software to assess the contents of operating system parameter files (or detect deficiencies in system parameter settings)

Process-charting techniques for documenting automated applications and business processes

The use of audit logs or reports available in operation/application systems

Documentation review

Observation

Slide16

CISA REVIEW

Chapter 1 – Compliance and Substantive Testing

Testing may involve identifying the controls for

compliance

with management policies and procedures – that is, gathering evidence to determine whether they are being applied and functioning as expected.

The audit may also involve

substantive

tests, in which evidence is gathered to evaluate the integrity of selected data or individual transactions. Substantive procedures are tests performed to obtain audit evidence to detect material misstatements in the financial statements.

Because of time and cost constraints, it is often impossible to verify all transactions or events in a specific group of items, so auditors use a sample of that group. This sampling allows auditors to infer characteristics of the entire group based on the characteristics of the sample.

Slide17

CISA REVIEW

Chapter 1 – Interviewing and Observing

An early step in performance of the audit is interviewing and observing personnel involved in the tasks that will be assessed in the audit. The auditor should:

Determine who is responsible for performing which functions – and whether these individuals are actually doing so.

Do a walkthrough of the processes and procedures.

Observe the security awareness of the individuals involved.

Investigate reporting relationships, and ensure there is appropriate segregation of duties.

Slide18

CISA REVIEW

Chapter 1 – Interviewing and Observing

Question:

What is the difference between compliance testing and substantive testing?

Slide19

CISA REVIEW

Chapter 1 – Interviewing and Observing

Answer:

What is the difference between compliance testing and substantive testing?

Compliance testing determines whether controls are in compliance with management policies and procedures. Substantive testing tests the integrity of actual processing.

Slide20

CISA REVIEW

Chapter 1 – Tips for Conducting a Successful Interview

Know your material, the job function being audited, the inputs and outputs, and the subject's job responsibilities.

Be familiar with key terms and acronyms and how they are used within the context of the job function under review.

Prepare a few questions, but do not read off a list.

Review prior-period work papers and audit reports to gain an understanding of questions that were not asked that should have been. Also, ask what changes have occurred that may have affected the operations under review.

Ask open-ended questions wherever possible. Avoid questions that have definite, specific answers.

Provide the interviewee with an opportunity to add or elaborate on anything before ending the interview.

Slide21

CISA REVIEW

Chapter 1 – Sampling

General approaches to audit sampling include statistical sampling and non-statistical (or judgmental) sampling. Either type of sampling requires the auditor to make judgments in defining the population characteristics.

Key steps in choosing a sample include:

Determine the objectives of the test.

Define the population to be sampled.

Determine the sampling method, such as attribute versus variable sampling.

Calculate the sample size.

Select the sample.

Evaluate the sample from an audit perspective.

Determining what constitutes the sample depends on several factors such as access to the individuals in the representative group, the availability of resources to use in the selection of the sample, and the technical expertise of those involved in the data collection.

Slide22

CISA REVIEW

Chapter 1 – Computer Assisted Audit Techniques (CAAT)

A software tool is almost a necessity to gather and analyze records from systems that have different hardware and software environments, or different data structures, record formats or processing functions.

CAATs offer a way to access and analyze data for a specific audit objective, and to report the audit findings. The reliability of the information source provides reassurance on the findings produced.

Advantages of CAATs

Reduced level of audit risk

Greater independence from the

auditee

Broader and more consistent audit coverage

Faster availability of information

Improved exception identification

Greater opportunity to quantify internal control weaknesses

Enhanced sampling

Cost savings over time

Slide23

CISA REVIEW

Chapter 1 – Computer Assisted Audit Techniques (CAAT)

The following are examples of documentation that should be retained in the auditor's fieldwork papers when using CAATs:

Online reports detailing high-risk issues for review

Commented program listings

Flowcharts

Sample reports

Record and file layouts

Field definitions

Operating instructions

Description of applicable source documents

Slide24

CISA REVIEW

Chapter 1 – Internal Controls

Internal controls include policies, procedures, practices and organizational structures that are

put in place to reduce risk

.

Their intent is to provide

reasonable assurance

that the

business objectives of the organization will be achieved

and that risk events will be prevented, detected, or corrected.

To implement the control, a control objective is defined for an identified risk. Then, specific control activities or procedures designed to achieve the objective are instituted. These processes and activities, automated or manual, function at all levels in the organization to reduce exposure to risks that could

prevent the organization from achieving its business objectives.

Slide25

CISA REVIEW

Chapter 1 – Internal Controls

Responsibility for establishing a culture that supports internal controls resides with the board of directors and executive management.

A control has two purposes:

to support the organization's operation objectives, and

to prevent, detect or correct undesirable events.

Control elements are classified according to those functions – as preventive, detective or corrective.

Slide26

CISA REVIEW

Chapter 1 – Internal Controls

Control objectives are management objectives used as the framework for developing and implementing controls or control procedures. They are statements of the purposes that control activities or procedures are designed to serve.

Internal controls typically include:

Internal accounting controls

– principally concerned with accounting operations. Examples: the safeguarding of assets, the reliability of financial records

Operational controls

– related to the basic operations, functions and activities to ensure the operation is meeting the business objectives

Administrative controls

– focused on operational efficiency in a functional area and adhering to management policies, including operational controls

Slide27

CISA REVIEW

Chapter 1 – Example Control Objective

Control Objective: Controls provide reasonable assurance that the organization's electronic funds transfer (EFT) system is protected against unauthorized physical and logical access.

Illustrative controls:

The responsibility for the development and enforcement of a security policy is at an organizational level that facilitates compliance by organization personnel and enables enforcement of policies and procedures.

Security policy and procedures are in place, and are communicated to appropriate employees and contractors.

Policies and procedures are in place for reporting security incidents or observed irregularities to an organizational level at which such matters can be investigated and resolved in a timely fashion.

Policies and procedures are established for the security of filing, retention and destruction of EFT system files.

Slide28

CISA REVIEW

Chapter 1 – Example Control Objective

Control Objective: Controls provide reasonable assurance that the organization's electronic funds transfer (EFT) system is protected against unauthorized physical and logical access.

Illustrative controls, cont:

Policies and procedures are in place for conducting security system training.

Policies and procedures are in place for discontinuing an employee's (or contractor's) ability to access EFT hardware, software and data when the employee is terminated or the employee's duties change.

Access to EFT files or processes is limited based on users' needs.

Passwords control access to EFT files, personal identification numbers and privacy data.

Firewalls or other procedures prevent unauthorized access to data from an external network.

Policies and procedures are in place to prevent unauthorized access to the EFT processing facility.

Slide29

CISA REVIEW

Chapter 1 – IS Control Objectives

Safeguarding assets – information on automated systems is secure from improper access and kept up to date.

Ensuring the integrity of general operating system environments, including network management and operations.

Ensuring the integrity of sensitive and critical application system environments, including accounting/financial and management information through:

Authorization of the input – each transaction is authorized and entered only once.

Accuracy and completeness of processing of transactions – all transactions are recorded and entered into the computer for the proper period.

Accuracy, completeness and security of the output.

Database integrity and availability.

Complying with the users' requirements, organizational policies and procedures, and applicable laws and regulations.

Developing business continuity and disaster recovery plans.

Developing an incident response and handling plan.

Managing change.

Slide30

CISA REVIEW

Chapter 1 – IS Control Objectives

Identify for each example whether it is a preventative, detective or corrective control?

Preventative

Detective

Corrective

Using internal audit functions

Completing programmed edit checks

Checking calculations in duplicate

Controlling access to physical facilities

Using encryption software to prevent unauthorized disclosure of data

Reviewing past-due account reports

Creating contingency plans

Checking hash totals

Implementing backup procedures

Slide31

CISA REVIEW

Chapter 1 – IS Control Objectives

Answer: Identify for each example whether it is a preventative, detective or corrective control?

Preventative

Detective

Corrective

Using internal audit functions

X

Completing programmed edit checks

X

Checking calculations in duplicate

X

Controlling access to physical facilities

X

Using encryption software to prevent unauthorized disclosure of data

X

Reviewing past-due account reports

X

Creating contingency plans

X

Checking hash totals

X

Implementing backup procedures

X

Slide32

CISA REVIEW

Chapter 1 – COBIT

COBIT is a governance framework and supporting tool set that IT organizations can use to ensure that IT is working as effectively as possible to minimize risk and maximize the benefits of technology investments.

The COBIT control framework links IT initiatives to the business requirements, organizes IT activities into a generally accepted process model, identifies the major IT resources to be leveraged and defines the management control objectives to be considered.

Slide33

CISA REVIEW

Chapter 1 – COBIT

The growing adoption of IT best practices has been driven by a requirement for the IT industry to better manage the quality and reliability of IT in business, and to respond to a growing number of regulatory and contractual requirements. The danger, however, is that implementation of these potentially helpful best practices will be costly and unfocused if they are treated as purely technical guidance. To be most effective,

best practices should be applied within the business context, focusing on where their use would provide the most benefit to the organization.

Senior management, business management, auditors, compliance officers and IT managers should work together to make sure that IT best practices lead to cost-effective and well-controlled IT delivery. When developing control recommendations, management should ensure that the controls are well-designed and efficient, that the overall IT operations environment is taken into consideration, and that the controls ultimately assist management in achieving its long-term IT strategic goals.

Slide34

CISA REVIEW

Chapter 1 – General Controls

To provide reasonable assurance that specific objectives will be achieved, management institutes general control procedures and practices.

Strategy and direction

General organization and management

Access to data and programs

Systems development methodologies and change control

Data processing operations

Systems programming and technical support functions

Data processing quality assurance procedures

Physical access controls

Business continuity and disaster recovery planning

Networks and communications

Database administration

Slide35

CISA REVIEW

Chapter 1 – Application Controls

IT application or program controls are fully-automated (i.e., performed automatically by the systems) and designed to ensure the complete and accurate processing of data. These controls may also help ensure the privacy and security of data transmitted between applications. Categories of IT application controls may include:

Completeness checks - controls that ensure all records were processed from initiation to completion.

Validity checks - controls that ensure only valid data is input or processed.

Authentication - controls that provide an authentication mechanism in the application system.

Authorization - controls that ensure only approved business users have access to the application system.

Input controls - controls that ensure data integrity fed from upstream sources into the application system.

Source - Wikipedia

Slide36

CISA REVIEW

Chapter 1 – Risk Based Audits

A growing number of organizations are moving to a risk-based audit approach. This approach can influence an IS auditor's decision to perform either compliance testing or substantive testing. Identifying risks and vulnerabilities allows the auditor to determine the controls needed to mitigate those risks.

In a risk-based audit approach, IS auditors are not just relying on risk. You are also relying on internal and operational controls, as well as knowledge of the organization. This type of risk assessment decision can help relate the cost-benefit analysis of the control to the known risk, allowing for practical choices and better cost-benefit recommendations to management.

Knowledge of the relationship between risk and control is important for IS auditors. As an IS auditor, you must be able to

Differentiate types of risks related to business, technology and audit

Identify relevant controls to mitigate these risks

Evaluate the organization's risk assessment and management techniques

Assess risk in order to plan audit work

Slide37

CISA REVIEW

Chapter 1 – Risk Based Audits

Risk-based IS audit programs should include:

Profiles of significant business units, departments and products, including:

Data

Applications and operating systems

Technology

Facilities

Personnel

Associated business risks and control features

Board or audit committee approval of risk assessments and annual risk-based audit plans

A documented process to monitor the risk assessment and updates it (at least annually) for all significant business units, departments and products

Slide38

CISA REVIEW

Chapter 1 – Risk Based Audit Approach

Gather Information and Plan

Knowledge of business and industry

Prior year's audit results

Recent financial information

Regulatory statutes

Inherent risk assessment

Obtain Understanding of Internal Control

Control environment

Control procedures

Detection risk assessment

Control risk assessment

Equate total risk

Slide39

CISA REVIEW

Chapter 1 – Risk Based Audit Approach, cont.

Perform Compliance Tests

Identify key controls to be tested

Perform tests on reliability, risk prevention, and adherence to organization policies and procedures

Perform Substantive Tests

Analytical procedures

Detailed tests of account balances

Other substantive audit procedures

Conclude the Audit

Create recommendations

Write audit report

Slide40

CISA REVIEW

Chapter 1 – Risk Identification

When identifying risk, there are three elements to assess:

Threats to, and vulnerabilities of, processes and assets (including both physical and information assets)

Impact on assets based on threats and vulnerabilities

Probabilities of threats (combination of the likelihood and frequency of occurrence)

Although auditors need to be aware of all potential risks, operational risk is the primary risk associated with information technology. Operational risk (also referred to as transaction risk) is the risk of loss resulting from inadequate or failed processes, people or systems.

Slide41

CISA REVIEW

Chapter 1 – Responding to Risks

After identifying and quantifying risks, the decision must be made as to how to respond to them.

Below are the main response strategies for risks.

Risk avoidance

Risk acceptance

Risk transference

Risk mitigation

Audit planning should address the highest-risk areas within the organization, given the resources available to the internal audit department. Changes to the audit plan may require direct communication/approval from the organization's Audit Committee.

Slide42

CISA REVIEW

Chapter 1 – Risks

Instructions:

Here are five elements of a risk-based audit. Determine the order in which they should be performed.

Audit Elements

Perform substantive audit procedures

Conduct detection risk assessment

Conduct inherent risk assessment

Develop recommendations

Perform tests on reliability and risk prevention

Slide43

CISA REVIEW

Chapter 1 – Risks

Answer:

Here are five elements of a risk-based audit. Determine the order in which they should be performed.

The correct order is:

1:  Conduct inherent risk assessment

2:  Conduct detection risk assessment

3:  Perform tests on reliability and risk prevention

4:  Perform substantive audit procedures

5:  Create recommendations

Slide44

CISA REVIEW

Chapter 1 – Risks

Instructions:

Here are four types of risk and four definitions. Match each risk to its definition.

Risk

Control risk

Detection risk

Inherent risk

Overall audit risk

Descriptions

The susceptibility of an audit area to error that could be material, assuming that there were no related internal controls

The risk that a material error exists – an error that the internal controls system will not prevent or detect in a timely manner

A combination of the individual types of audit risks for each control objective

The risk of an IS auditor using an inadequate test procedure and concluding that material errors do not exist when, in fact, they do exist

Slide45

CISA REVIEW

Chapter 1 – Risks

Answers

Each type of risk is followed by its definition.

Control risk

The risk that a material error exists – an error that the internal controls system will not prevent or detect in a timely manner

Detection risk

The risk of an IS auditor using an inadequate test procedure and concluding that material errors do not exist when, in fact, they do exist

Inherent risk

The susceptibility of an audit area to error that could be material, assuming that there were no related internal controls

Overall audit risk

A combination of the individual types of audit risks for each control objective

Slide46

CISA REVIEW

Chapter 1 – Report Audit Findings

In advance of presenting an audit report to senior management, the IS auditor should discuss the findings with management of the audited area. These discussions help ensure that there have been no misunderstandings or misinterpretations of fact. They give the

auditee

the opportunity to clarify items and express views on the findings, conclusions and recommendations.

The objective of these discussions is to gain agreement and develop a course of corrective action. Where disagreement occurs, the IS auditor should describe the significance of the findings, and the risks and effects of not taking corrective action.

Slide47

CISA REVIEW

Chapter 1 – Audit Report Contents

The audit report should contain:

An introduction with a purpose statement describing the audit objectives, and informing the reader why the audit was conducted and what was expected to be achieved

Scope statements – identify the audited activities and supportive information such as the time period audited

Background information and summaries – identify the organizational units and functions reviewed, and provide relevant explanatory information

Status of findings, conclusions and recommendations from prior reports

Information about whether the report covers a scheduled audit or is in response to a request

Identification of related activities that were not audited, to delineate the boundaries of the audit

Description of the nature and extent of auditing steps performed

Results – including findings, conclusions on the adequacy of controls and procedures and recommendations

Slide48

CISA REVIEW

Chapter 1 – Audit Report Supporting Documents

In addition to the audit report, the IS auditor should also record detailed records in the form of supporting audit documentation. At a minimum, the supporting documentation should include detailed information on the following:

Planning and preparation of the audit scope and objectives

Description and/or walkthroughs on the scoped audit area

Audit program

Audit steps performed and audit evidence gathered

Use of services of other auditors and experts

Audit findings, conclusions and recommendations

Constraints on the conduct of the audit

Availability of audit staff

Auditee

constraints

Slide49

CISA REVIEW

Chapter 1 – Audit Report

The IS auditor is ultimately responsible to senior management and the organization's audit committee. Even though the IS auditor should discuss the findings with the management staff of the audited entity, this is done only to gain agreement on the findings and develop a course of corrective action. The IS audit director should review the report that the IS auditor prepared, but is not the person who will make the decisions regarding the findings and their potential consequences. The responsibility for reporting to legal authorities rests with the board of directors and their legal counselors.

Slide50

CISA REVIEW

Chapter 1 – Management Response

In response to the audit results, management should commit to a program of corrective action, with dates by which the action plan will be implemented.

Although management is responsible for deciding the appropriate actions to be taken in response to the reported audit findings, the IS auditor is responsible for assessing management actions for timely resolution of the audit findings.

However, senior management may decide to assume the risk of not correcting the reported conditions because of cost or other considerations. The IS auditor should follow up to determine whether such a decision has been made.

Slide51

CISA REVIEW

Chapter 1 – Control Self-Assessment

The principal objective of a CSA program is to shift certain control-monitoring responsibilities to the functional areas and, in this way, enhance the audit function.

The program works to educate management about control design and monitoring, concentrating especially on high-risk areas. Line management becomes responsible for both managing and monitoring the controls in its environment. A CSA program is intended to offer support for the monitoring process such as suggestions for the control environment or workshops to empower workers to assess or design the control environment.

Each phase of a CSA program should have specific success measures associated with it to assess the value of the program. COBIT includes a generic set of goals and metrics for each process that can be used in creating the CSA program.

The role of the IS auditor in this process should be that of a facilitator, and the management of the functional area is the participant. During a CSA workshop, the auditor – instead of performing detailed audit procedures – leads and guides the participants in assessing their environment by providing insight about the objectives of controls based on risk assessment.

Slide52

CISA REVIEW

Chapter 1 – Control Self-Assessment Advantages

The benefits of CSA include:

Early detection of risks

More effective and improved internal controls

Creation of cohesive teams through employee involvement

Increased employee awareness of organizational objectives, and knowledge of risk and internal controls

Increased communication between operational and top management

Improved audit rating process

Reduction in control cost

Assurance to executive management, stakeholders and customers

Slide53

CISA REVIEW

Chapter 1 – Control Self-Assessment Disadvantages

Potential disadvantages of CSA include the following:

It could be mistaken for an audit function replacement

It may be regarded as additional workload

Failure to act on improvement suggestions could damage employee morale

Lack of motivation may limit effectiveness in the detection of weak controls

Slide54

CISA REVIEW

Chapter 1 – Control Self-Assessment Disadvantages

Instructions

: Select

all

that

apply.

Which of the following are potential benefits of CSA?

Provides early detection of risks

Reduces costs by replacing the audit function with self-monitoring

Increases employee awareness of internal controls

Works especially well in a very hierarchical management environment

Slide55

CISA REVIEW

Chapter 1 – Control Self-Assessment Disadvantages

Answer

:

CSA provides early detection of risks and increases employee awareness of internal controls. Because it is designed to empower staff members to play an active role in assessing their internal controls, it may not work well in organizations with a very hierarchical management environment. CSA is not intended to replace the audit function.