| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
Audit Project Management
This episode of the ISACA Certified Information Systems Auditor (CISA) exam prep series covers how to run an IS audit as a disciplined project. It walks through the three audit phases, the role of the audit program and work papers, the auditor’s responsibilities around fraud awareness, and how agile approaches can be applied without compromising professional standards.
What this episode covers
- Running an audit as a project — plan the engagement, build a timeline, execute the tasks, and monitor progress against the plan.
- Audit objectives — specific goals the audit must achieve, distinguished from control objectives, typically focusing on legal compliance and information confidentiality, integrity, and availability.
- Three audit phases — planning, fieldwork and documentation, and reporting and follow-up, with key activities at each stage.
- Audit program — a formally documented, ordered list of procedures that creates a repeatable recipe and meets planning-phase standards.
- Work papers — the traceable bridge between objectives and report, requiring strong security controls and clear retention policies.
- Fraud awareness — the auditor’s duty to exercise due professional care, recognise fraud indicators, and escalate appropriately without conducting a full investigation unprompted.
- Agile auditing — how parallel task execution, shorter planning cycles, and real-time stakeholder involvement speed up the engagement while remaining compatible with professional standards.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What are the three phases every audit moves through?
Every audit moves through planning (determining the subject, defining objectives, setting scope, and performing pre-audit risk assessment), fieldwork and documentation (acquiring data, testing controls, discovering and validating issues, and documenting results in work papers), and reporting and follow-up (drafting and issuing the final report, then confirming remediation actions are completed).
What is an audit program, and why is it developed?
An audit program is an ordered list of procedures shaped around each assignment’s scope and goals. It formally documents the procedures and their sequence, creates a repeatable recipe others can reuse, records whether compliance or substantive testing will be used, and satisfies accepted standards for the planning phase.
Why do work papers matter, and what must be done to protect them?
Work papers are the bridge between objectives and the final report, giving complete traceability for everything done during the audit. Because they often hold sensitive information that a malicious actor could exploit, auditors must protect their integrity with the same security controls they assess elsewhere and set clear retention and destruction rules by audit type.
How does agile auditing differ from a traditional audit approach?
Agile auditing borrows ideas from agile software development, blurring the line between planning and fieldwork so tasks run in parallel rather than in strict sequential phases. Planning can shrink from months to weeks, the scope flexes as new information appears, and real-time assurance is given as issues are found — all while the auditor still maintains independence, objectivity, and professional skepticism.
📚 Master the ISACA CISA Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISACA CISA certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in Audit Project Management.