CISA Domain 1 & 2: CISA Chapter 1 Common Terms
and Definitions
Interviewing and Observing Personnel - ---Actual Functions - An adequate test to ensure that the
individual who is assigned and authorized to perform a particular function is the person who is
actually doing the job.
Actual Processes and Procedures - allows the IS auditor to gain evidence of compliance and observe
deviations, if any.
Security Awareness - Should be observed to verify an individuals understanding and practice of good
preventive and detective security measures.
Reporting Relationships - Should be observed to ensure that assigned responsibilities and adequate
segregation of duties are being practiced.
Observation Drawbacks - The observer may interfere with the observed environment. People when
observed may change their behaviours.
Statistical Sampling - ---An objective (math based) method of determining the sample size and
selection criteria
Uses the mathematical laws of probability. IS auditor quantitatively decides how closely the sample
should represent the population
Non-statistical Sampling - ---Use auditor judgement to determine the method of sampling. These
judgements are based on subjective (decision based) judgement as to which items/transactions are
the most material and most risky
\Attribute Sampling - ---Sampling model used to estimate the rate of occurrence of a specific quality
in a population. Answers the question of "how many"
Types:
Stop-or-go Sampling - Sampling model that helps prevent excessive sampling of an attribute by
allowing an audit test to be stopped at the earliest possible moment. Used when very few errors will
be found in a population
Discovery Sampling - Sampling model that can be used when the expected occurrence rate is
extremely low. Used when the objective of the audit is to seek out fraud, circumvention of
regulations or other irregularities.
\CVariable Sampling - ---Technique used to estimate the monetary value or some other unit of
measure of a population from a sample portion.
Types:
, Stratified mean per unit - Statistical model in which the population is divided into groups and
samples are drawn from the various groups; used to produce a smaller overall sample size than
unstratified mean per unit
Unstratified mean per unit - A statistical model in which a sample mean is calculated and projected
as an estimated total
Difference Estimation - Statistical model used to estimate the total difference between audited
values and book values based on differences obtained from sample observations.
\CConfidence Coefficient - ---A percentage expression of the probability that the characteristics of
the sample are a true representation of the population. 95% is considered a high degree of comfort.
If internal controls are strong, the confidence coefficient may be lowered and the sample size
lowered. The greater the confidence coefficient, the larger the sample size
\CExpected Error Rate - ---Estimate stated as a percent of errors that may exist. The greater the
expected error rate, the greater the sample size. Applied to attribute sampling, not variable
sampling.
\CTolerable Error Rate - ---maximum misstatement or number of errors that can exist without an
account being materially misstated
\CSample Mean - ---Sum of all the sample values divided by the size of the sample. Measures the
average.
\CComputer Assisted Audit Techniques CAATs - ---Important tools for the IS auditor in gathering
information from environments. Assist in gathering evidence when systems have different hardware
and software environments. Enable IS auditors to gather information independently. Is a reliable
method to gather evidence. Can include generalized audit software, utility software, debugging and
scanning software, test data. Could aid significantly in the effective and efficient detection of
irregularities or illegal acts. Can be used for continuous auditing.
\CJudging Materiality of Findings - ---Key to determining this is what would be significant to different
levels of management. Assessment requires judging the potential effect of the finding if corrective
action is not taken
\CExit Interview - ---Conducted at the end of the audit. Provides the IS auditor with the opportunity
to discuss findings and recommendations with management staff of the audited entity. There they
can agree on the findings and develop corrective actions. After agreement is made, senior
management can be briefed.
and Definitions
Interviewing and Observing Personnel - ---Actual Functions - An adequate test to ensure that the
individual who is assigned and authorized to perform a particular function is the person who is
actually doing the job.
Actual Processes and Procedures - allows the IS auditor to gain evidence of compliance and observe
deviations, if any.
Security Awareness - Should be observed to verify an individuals understanding and practice of good
preventive and detective security measures.
Reporting Relationships - Should be observed to ensure that assigned responsibilities and adequate
segregation of duties are being practiced.
Observation Drawbacks - The observer may interfere with the observed environment. People when
observed may change their behaviours.
Statistical Sampling - ---An objective (math based) method of determining the sample size and
selection criteria
Uses the mathematical laws of probability. IS auditor quantitatively decides how closely the sample
should represent the population
Non-statistical Sampling - ---Use auditor judgement to determine the method of sampling. These
judgements are based on subjective (decision based) judgement as to which items/transactions are
the most material and most risky
\Attribute Sampling - ---Sampling model used to estimate the rate of occurrence of a specific quality
in a population. Answers the question of "how many"
Types:
Stop-or-go Sampling - Sampling model that helps prevent excessive sampling of an attribute by
allowing an audit test to be stopped at the earliest possible moment. Used when very few errors will
be found in a population
Discovery Sampling - Sampling model that can be used when the expected occurrence rate is
extremely low. Used when the objective of the audit is to seek out fraud, circumvention of
regulations or other irregularities.
\CVariable Sampling - ---Technique used to estimate the monetary value or some other unit of
measure of a population from a sample portion.
Types:
, Stratified mean per unit - Statistical model in which the population is divided into groups and
samples are drawn from the various groups; used to produce a smaller overall sample size than
unstratified mean per unit
Unstratified mean per unit - A statistical model in which a sample mean is calculated and projected
as an estimated total
Difference Estimation - Statistical model used to estimate the total difference between audited
values and book values based on differences obtained from sample observations.
\CConfidence Coefficient - ---A percentage expression of the probability that the characteristics of
the sample are a true representation of the population. 95% is considered a high degree of comfort.
If internal controls are strong, the confidence coefficient may be lowered and the sample size
lowered. The greater the confidence coefficient, the larger the sample size
\CExpected Error Rate - ---Estimate stated as a percent of errors that may exist. The greater the
expected error rate, the greater the sample size. Applied to attribute sampling, not variable
sampling.
\CTolerable Error Rate - ---maximum misstatement or number of errors that can exist without an
account being materially misstated
\CSample Mean - ---Sum of all the sample values divided by the size of the sample. Measures the
average.
\CComputer Assisted Audit Techniques CAATs - ---Important tools for the IS auditor in gathering
information from environments. Assist in gathering evidence when systems have different hardware
and software environments. Enable IS auditors to gather information independently. Is a reliable
method to gather evidence. Can include generalized audit software, utility software, debugging and
scanning software, test data. Could aid significantly in the effective and efficient detection of
irregularities or illegal acts. Can be used for continuous auditing.
\CJudging Materiality of Findings - ---Key to determining this is what would be significant to different
levels of management. Assessment requires judging the potential effect of the finding if corrective
action is not taken
\CExit Interview - ---Conducted at the end of the audit. Provides the IS auditor with the opportunity
to discuss findings and recommendations with management staff of the audited entity. There they
can agree on the findings and develop corrective actions. After agreement is made, senior
management can be briefed.
