upto 50% Off Upgrade your Skills with our Special Offers! JOIN NOW X




4. Internal Controls:
  • Internal controls are normally composed of policies, procedures, practices and organizational structures which are implemented to reduce risks to the organizations
  • The board of directors are responsible for establishing the effective internal control system
Point to remember:  When CISA question is on the responsibility of internal controls, the answer should be senior most management (BoD, CEO, CIO, CISO etc) , based on the options available. 

Classification of internal controls:

    • Preventive controls
    • Detective controls
    • Corrective controls
Point to remember: CISA question will be scenario based, where the candidate should have a thorough understanding of all the three controls and able to differentiate between preventive, detective and corrective controls 

Preventive controls: are those internal controls which are deployed to prevent happening of an event that might affect achievement of organizational objectives. Some examples of preventive control activities are:

  • Employee background checks
  • Employee training and required certifications
  • Password protected access to asset storage areas
  • Physical locks on inventory warehouses
  • Security camera systems
  • Segregation of duties(i.e. recording, authorization, and custody all handled by separate individuals)

Detective controls: Detective controls seek to identify when preventive controls were not effective in preventing errors and irregularities, particularly in relation to the safeguarding of assets.  Some examples of detective control activities are:

  • bank reconciliations
  • control totals
  • physical inventory counts
  • reconciliation of the general ledgers to the detailed subsidiary ledgers
  • Internal audit functions

Corrective controls: When detective control activities identify an error or irregularity, corrective control activities should then see what could or should be done to fix it, and hopefully put a new system in place to prevent it the next time around. Some examples of corrective control activities are:

  • data backups can be used to restore lost data in case of a fire or other disaster
  • data validity tests can require users to confirm data inputs if amounts are outside a reasonable range
  • insurance can be utilized to help replace damaged or stolen assets
  • management variance reports can highlight variances from budget to actual for management corrective action
  • training and operations manuals can be revised to prevent future errors and irregularities
  • Developed by ISACA
  • A comprehensive framework that assist enterprises in achieving their objectives for the governance and management of enterprise IT (GEIT)
  • COBIT 5 based on 5 principles and 7 enablers
5 Principles 7 Enablers
1.  Meeting Shareholders needs 1.  Principles, Policies and Frameworks
2.  End-to-End coverage 2. Processes
3.  Holistic Approach 3. Organizational Structures
4. Integrated Framework 4. Culture, Ethics and Behaviour
5. Separate governance from management 5. Information
  6. Services, Infrastructure and Applications
  7. People, Skills and Competencies

(Note: A CISA candidate will not be asked to specifically identify the COBIT process, the COBIT domains or the set of IT processes defined in each. However, candidates should know what frameworks are, what they do and why they are used by enterprises)

6. Risk based auditing

Audit Risk – the risk that information may contain a material error that may go undetected during the course of the audit.

The audit approach should be as follows:

  • Step 1 – Gather available information and plan through review of prior year’s audit results, recent financial information, inherent risk assessments
  • Step 2 – Understanding of existing internal controls by analyzing control procedures, detection risk assessment
  • Step 3 – Perform compliance testing by identifying key controls to be tested
  • Step 4 – Perform substantive testing by test of account balances, analytical procedures
  • Step 5 – Conclude the audit – Audit report with independent audit opinion

Factors which influence audit risk

    • Inherent risk – Risk that an activity would pose if no controls/ other mitigating factors were in place.
    • Control risk – Risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls
    • Detection risk – The risk that material errors or misstatements that have occurred will not be detected by the IS auditor
    • Residual risk – Risk that remains after controls are taken into account
Point to remember: A CISA candidate should know the differences between preventive, detective and corrective controls. An example of a question in the exam would be: Which of the following controls would BEST detect 


7. Risk Treatment

Risk identified in the risk assessment needs to be treated.

Possible risk response options include:

  • Risk mitigation—Applying appropriate controls to reduce the risk
  • Risk acceptance—Knowingly and objectively not taking action, providing the risk clearly satisfies the organization’s policy and criteria for risk acceptance
  • Risk avoidance—Avoiding risk by not allowing actions that would cause the risk to occur
  • Risk transfer/sharing—Transferring the associated risk to other parties (e.g., insurers or suppliers)

Part 1, Part 2, Part 3

Aswini Srinath ( )
Writer And Editor
I am a qualified Chartered Accountant based out of Chennai, with 8+ years of experience in various roles in finance domain including CA Practice, financial reporting and auditing. I have always been keen to challenge myself by exploring potential capabilities outside of my core competency. Picked up Information Security as one such thing. Cleared CISA with 2nd Rank in ISACA Chennai Chapter in 2019. Since then, i have been sharing my learning and experience to a small group of avid followers, helping them prepare for their CISA exams. This article is also one such attempt, where I summarize the key areas in each domain based on the importance and weightage from an exam point of view.