CISA_Series_-_Audit_Process_Part_2B.pdf

Transcript

1. CISA Series – Part 2B The Information Systems Audit Process

   Governance, Foundation of the Audit Function, and Understanding the Business Environment © Alison Wickens | Management System Insights CISA Series 2026 Not affiliated any organisation. Redistribution or commercial use prohibited

2. Series Overview Part 1 — Introduction, Standards and Ethics, Audit

   Lifecycle Overview, Part 2 — Governance, Foundation of the Audit Function, and Understanding the Business Environment Part 3 — Enterprise Risk Assessment, Audit Universe Development, and Strategic Audit Planning Part 4- Individual Engagement Planning and Audit Project Management Par 5 — Audit Execution and Fieldwork, Evidence Collection, Data Analytics, and Technology-Enabled Auditing Part 6 — Data Analytics, Technology-Enabled Auditing, Evaluation of Findings, and Root Cause Analysis Part 7 - Audit Reporting, Communication, and Follow-Up Activities, Quality Assurance and Continuous Improvement

3. Governance, and Understanding the Business Environment Topics GOVERNANCE & OVERSIGHT

   INTERNAL AUDIT FOUNDATION BUSINESS CONTEXT RISK & COMPLIANCE CONTEXT

4. WHY THIS IS IMPORTANT Governance & Oversight • Supports accountability,

   governance, and strategic alignment • Clarifies oversight responsibilities and assurance roles Internal Audit Foundation • Establishes audit authority, independence, and objectivity • Strengthens professional and consistent audit practices Business Context • Aligns audit activities with business objectives and operations • Improves understanding of organisational culture and stakeholders Risk & Compliance Context • Supports risk-based audit planning and prioritisation • Enhances awareness of regulatory and compliance obligations • Focuses assurance on areas of highest organisational impact

5. Why Auditors Must Understand the Business Audit supports business objectives

   Risks differ across industries Technology drives business operations Controls exist to reduce business risk Auditors audit business processes — not just technology

6. Governance Governance & Oversight

7. None
8. None

9. Governance Internal Audit Foundation

10. None
11. None
12. None
13. None
14. None
15. None

16. Understanding the Business Business Context

17. None
18. None

19. Risk & Planning Transition Risk & Compliance Context

20. None
21. None

22. Common CISA Confusion Areas Key Distinction Commonly Confused Concept Oversight

    and direction vs execution and operations Governance vs Management Overall organisational governance vs focused audit/risk oversight Board vs Audit Committee Long-term direction vs day-to-day execution Strategy vs Operations Organisational goals vs technology enablement goals Business Objectives vs IT Objectives Overall acceptable risk level vs acceptable variation Risk Appetite vs Risk Tolerance Potential future event vs existing problem Risk vs Issue Cause of harm vs weakness exploited Threat vs Vulnerability Exposure vs mitigation mechanism Risk vs Control Adherence to requirements vs overall oversight and accountability Compliance vs Governance Oversight structure vs operational control guidance Governance Framework vs Control Framework Control operation vs independent assurance Internal Control vs Internal Audit Reporting structure vs auditor mindset Independence vs Objectivity Ultimately answerable vs performs the work Accountability vs Responsibility Right to direct vs obligation to perform Authority vs Responsibility Independent evaluation vs governance supervision Assurance vs Oversight Independent assurance vs advisory/review activity Audit vs Assessment Continuous oversight vs periodic independent review Monitoring vs Auditing Interested parties vs service recipients Stakeholders vs Customers Organisational workflow vs supporting technology activities Business Process vs IT Process What must be done vs how it is done Policy vs Procedure Mandatory requirement vs recommended practice Standard vs Guideline Organisational behaviours vs formal governance and controls Culture vs Control Environment Legal obligation vs agreement-based obligation Regulatory Requirement vs Contractual Requirement Reasonable caution vs ongoing investigation and monitoring Due Care vs Due Diligence Decision-making authority vs independent evaluation Governance Roles vs Assurance Roles Operate controls vs oversee risk vs provide independent assurance First Line vs Second Line vs Third Line Organisational environment vs specific exposure landscape Business Context vs Risk Context Long-term business threat vs day-to-day operational exposure Strategic Risk vs Operational Risk Maintaining operations vs restoring technology services Business Continuity vs Disaster Recovery Accountability for information vs accountability for systems Data Owner vs System Owner Moral conduct vs adherence to formal requirements Ethics vs Compliance

23. NEXT IN THE SERIES Part 2C Enterprise Risk Assessment, Audit

    Universe Development, and Strategic Audit Planning • Foundations of risk management • Enterprise Risk Management (ERM) concepts • Risk identification and assessment techniques • Inherent risk vs residual risk • Risk response and treatment strategies • Internal control concepts and objectives • Preventive, detective, and corrective controls • Manual vs automated controls • Control design and operating effectiveness • Segregation of duties and access controls • Governance and control frameworks • COBIT, COSO, and ISO-based control environments • Linking risks, controls, and audit objectives • Evaluating control maturity and effectiveness Key Focus: Understanding how organisations identify, manage, and control risk, and how auditors evaluate the design and effectiveness of internal controls to support governance, compliance, and business objectives.

24. Disclaimer Based on practical experience and interpretation Based on practical

    experience and interpretation Not affiliated with any organization Not affiliated with any organization •Like •Share •Subscribe •Follow the series Thank You Thank You