Han Jumashov’s Post

View profile for Han Jumashov, graphic

IT Risk Advisory @Schneider Downs | ISACA Topic Leader @Engage ->Professional Development Forum

#LetsSimplifyCISA - Audit Results pt.1 As we get closer to wrapping-up the processing of auditing information systems, it is paramount to understand how audit results come in place and are communicated. There are a few key concepts that one should keep in mind from the CISA exam perspective such as control objective, compensating controls, materiality of findings, and communication of audit results. Control Objective Let’s explore a practical example by thinking about “control” objectives we all have in our daily lives. The control here is to lock the door when you leave your home, quite simple right? Then every time when you are back home you should stumble upon a locked door that needs a key for you to get in. In other words, the objective is to NOT let anyone in unless they are AUTHORIZED to have the key (not just HAVE). Keep this example in mind as we keep exploring other concepts mentioned above. Compensating Control Imagine there are days you could not lock the door, or you lost a key or anything else that prevented you from accomplishing the “control” objective. Obviously, we can’t afford to just leave our home with the front door ajar. However, what we can do is to compensate for that by other factors or a.k.a controls. For example, by installing a motion detector and a camera, a not so friendly dog or even asking your friend to stay home to watch it for you till the lock gets fixed. As you can see, one can get creative with how controls can be compensated so long as they still help with the main objective. Materiality of Finding This is where it gets less obvious and more subjective. To build upon the open-door example, let’s create 2 spin offs to that scenario. Stay tuned for part 2...

To view or add a comment, sign in

Explore topics