upto 50% Off Upgrade your Skills with our Special Offers! JOIN NOW X



8.Compliance testing Vs. substantive testing

Compliance testing – determines whether controls are in compliance with management policies and procedures


  • User access rights
  • Program change control procedures
  • Review of logs
  • Software license audit

Substantive testing – gathers evidences to evaluate the integrity of individual transactions, data or other information


  • performance of a complex calculation on sample basis
  • testing of account balances
Point to remember:

  • CISA question will be scenario based and the candidate should able to differentiate between substantive testing and compliance testing.
  • statistical sampling is to be used when the probability of error must be objectively quantified (i.e no subjectivity is involved). Statistical sampling is an objective method of sampling in which each item has equal chance of selection 


9.Audit Evidence

any information used by the IS auditor to determine whether the entity or data being audited follows the established criteria or objectives and supports audit conclusions

Techniques for gathering evidence:

    • Review IS organization structures
    • Review IS policies and procedures
    • Review IS standards
    • Review IS documentation
    • Interview appropriate personnel
    • Observe processes and employee performance
    • Walkthrough
Point to remember: A CISA candidate, given an audit scenario, should be able to determine which type of evidence gathering technique would be best 


10.Audit Sampling

The subset of population members used to perform testing

Two approaches of sampling:

    • Statistical sampling – using mathematical laws of probability to create the sample size
    • Non-Statistical sampling – Uses auditor judgment to determine the method of sampling

Methods of sampling

  • Attribute sampling – Applied in compliance testing situations, deals with the presence or absence of the attribute and provides conclusions that are expressed in rates of incidence. Involves three types:
    • Attribute sampling – selecting a small number of transactions and making assumptions about how their characteristics represent the full population of which the selected items are a part
    • Stop-or-Go Sampling – This model help prevents excessive sampling of an attribute by allowing an audit test to be stopped at the earliest possible moment. It is mostly used when auditor believes that relatively few errors will be found in populations
    • Discovery sampling – It is mostly used when the objective of audit is to discover fraud
  • Variable sampling – Applied in substantive testing situations, deals with population characteristics that vary, such as monetary values and weights or any other measurement and provides conclusions related to deviations from the norm. Involves three types:
    • Stratified mean per unit – It a statistical model in which population is divided into groups and samples are drawn from the various groups
    • Un-stratified mean per unit – A statistical model in which sample mean (Average) is calculated and projected as an estimated total.
    • Difference estimation – Statistical model used to estimate the total difference between audited values and unaudited values based on differences obtained from sample observations.
  • Important statistical terms:
    • Confident coefficient (CC) – A percentage expression of the probability that the characteristics of sample are true representation of the population. Stronger the internal control, lower the confident coefficient
    • Level of risk – Equal to one minus the confidence coefficient [if confident co-efficient is 95%, the level of risk is (100-95= 5%)]
    • Expected error rate (ERR) – An estimate stated as a percent of the error that may exist. The greater the ERR, greater the sample size
Point to remember: The IS auditor should be familiar with the different types of sampling techniques and when it is appropriate to use each of them 


11.Control Self-assessment (CSA)/strong

1. What is CSA?

  • assessment of controls made by the staff and management of the unit or units involved
  • management technique that assures stakeholders, customers and other parties that the internal control system of the organization is reliable.
  • Ensures that employees are aware of the risk to the business and they conduct periodic, proactive reviews of controls

2. Objectives of CSA

  • to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional areas
  • not intended to replace audit’s responsibilities but to enhance them

3.Benefits of CSA

  • Early detection of risk
  • More effective and improved internal controls
  • Developing a sense of ownership of the controls in the employees and process owners and
  • reducing their resistance to control improvement initiatives
  • Increased communication between operational and top management
  • Highly motivated employees

4.Disadvantages of CSA

  • mistaken as an audit function replacement
  • considered as an additional workload
  • Failure to act on improvement suggestions could damage employee morale
  • Lack of motivation may limit effectiveness in the detection of weak controls

5.Auditor’s role in CSA

  • The auditor’s role in CSAs should be considered enhanced when audit departments establish a CSA program.
  • Auditors become internal control professionals and assessment facilitators

Part 1, Part 2, Part 3

Aswini Srinath ( )
Writer And Editor
I am a qualified Chartered Accountant based out of Chennai, with 8+ years of experience in various roles in finance domain including CA Practice, financial reporting and auditing. I have always been keen to challenge myself by exploring potential capabilities outside of my core competency. Picked up Information Security as one such thing. Cleared CISA with 2nd Rank in ISACA Chennai Chapter in 2019. Since then, i have been sharing my learning and experience to a small group of avid followers, helping them prepare for their CISA exams. This article is also one such attempt, where I summarize the key areas in each domain based on the importance and weightage from an exam point of view.