CISA_Student_Handout_Domain1.pdf

CISA Review Course 26 th Edition

Domain 1: The Process of Auditing Information Systems

ABOUT THE CISA EXAM

CISA EXAM PREPARATION

©Copyright 2016 ISACA. All rights reserved.

Welcome!

CISA Certification

This program is designed to prepare you f or success on the CISA exam, one step in the process of becoming certified.

CISA certification benefits include:

The program will include: o o

o

o

3

Information about the CISA exam and certification Detailed coverage of the body of knowledge required by CISA Activities, exam discussion questions, and and group discussions

Gives you a competitive edge

Helps you achieve a high professional standard

Confirms and demonstrates your knowledge and experience

Quantifies and markets your experience

Provides global recognition as a mark of excellence

Increases your value to your organization

Real-world examples of CISA subject matter

© Copyright 2016 ISACA. All rights reserved.

© 2016. ISACA. All Rights Reserved.

4


1


CISA Accreditation


The CISA Exam

The American National Standards Institute (ANSI) has accredited CISA under ISO/IEC 17024:2012, General Requirements for Bodies Operating Certification Schemes for Persons.

The CISA exam is offered three times a year, in June, September and December. Exam registration dates:

Accreditation by ANSI achieves the foll owing: o

o

o

o

Promotes the unique qualifications and expertise certifications provide

o

Protects the integrity of the certifications and provides legal defensibility

o

Enhances consumer and public confidence in the certifications and the people who hold them

o

Facilitates mobility across borders or industries


About the CISA Exam

Registration closes approximately approximately eight weeks prior to exam date.

Register at www.isaca.org.

More than 118,000 professionals have earned the CISA certification since it was introduced in 1978.

5

Registration opens approximately approximately ei ght months prior to exam date. Early registration ends approximately fi ve months prior to exam date.

6


Job Practice

The CISA Certification Working Group oversees the development of the CISA exam, ensuring that the job practice is properly tested.

Domain 5: Protection of Information Assets, 25%

Domain 1: The Process of Auditing Information Systems, 21%

The exam consists of 150 multiple-choice questions covering the CISA job practice domains.

Domain 4: Information Systems Operations, Maintenance and Service Management, 20%

7



8

Domain 2: Governance and Management of IT, 16%

Domain 3: Information Systems Acquisition, Development and Implementation, 18%


2


Basis of the CISA Exam


Pre-Course Question 1 Which of the following is the MOST the MOST important important skill an IS auditor should develop to understand the constraints of conducting an audit?

The CISA exam is based on a job a job practice practice. Topics that candidates are expected to understand are described in a series of task and knowledge statements. o

o

A. Contingency Contingency planning

Task statements describe the specific tasks the CISA candidate should be able to perform. Knowledge statements are the knowledge areas required in order for the candidate to perform the tasks.

B. IS managemen managementt resource allocatio allocation n C. Project Project manage management ment D. Knowledg Knowledge e of internal internal controls controls

Test questions are specifically designed to validate that the candidate possesses the knowledge to perform a given task.

9


Pre-Course Question 2

10


During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management

An IS auditor auditor is evaluating a virtual virtual machine based (VMbased) architecture used for all programming and testing environments. environments. The production architecture is a three-tier physical architecture. What is the MOST important MOST important IT control to test to ensure availability and confidentiality of the web application in production?

only contains a few broadly described types of IT risk. What is the MOST appropriate MOST appropriate recommendation in this situation? A. Create an IT risk management management department and establish establish an IT risk framework with the aid of external risk management management experts. B. Use common common industry industry standa standard rd aids to divide divide the existing risk documentation into several individual types of risk which will be easier to handle. C. No recommendation recommendation is necessary necessary because because the current approach is appropriate for a medium-sized organization. D. Establis Establish h regular regular IT risk managem management ent meetings meetings to identify and assess risk, and create a mitigation plan as

11




A. Server configuration configuration has been been hardened appropriately appropriately.. B. Allocated physical resources are available. C. System administrators administrators are trained to use the virtual machine (VM) architecture. D. The VM server is included included in the disaster recovery plan (DRP).

12


3





A database database administrator administrator has detected detected a performance performance problem with some tables, which could be solved through denormalization. denormalization. This situation will increase the risk of:

Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an electronic funds transfer (EFT) system?

A. concurrent access.

A. Three users with with the ability to capture capture and verify their own messages

B. dead deadloc locks. ks. C. unautho unauthorized rized access access to data.

B. Five users with with the ability ability to capture and send their own own messages C. Five users with with the ability ability to verify other other users and and to send their own messages

D. a loss of data data integrity integrity..

D. Three users with the ability to capture and and verify the the messages of other users and to send their own messages

13


14


Domain 1

Domain 1

Provide audit services in accordance with IS audit standards to assist the organization in protecting and controlling information systems.

The Process of Auditing Information Systems

©Copyright 2016 ISACA. All rights reserved.


16


4



Domain Objectives The focus of Domain 1 is to encompass the entire practice of IS auditing, including a set of procedures and a thorough methodology that allows an IS auditor to perform an audit on any given IT area in a professional manner.

17


On the CISA Exam

The objective of this domain is to ensure that the CISA candidate has the knowledge necessary to: o

o

18

Provide audit services in accordance with IS audit standards. Assist the organization with protecting and controlling information systems.


Domain Tasks

Domain 1 represents 21% of the questions on the CISA exam (approximately 32 questions).

1.1 Execute a risk-based IS audit strategy in compliance with IS audit standards to ensure that key risk areas are audited.

Domain 1 incorporates five tasks related to the process of auditing information systems.

1.2 Plan specific audits to determine whether information systems are protected, controlled and provide value to the organization. 1.3 Conduct audits in accordance with IS audit standards to achieve planned audit objectives.

19



20


5



Task 1.1 1.4 Communicate audit results and make recommendations to key stakeholders through meetings and audit reports to promote change when necessary. 1.5 Conduct audit follow-ups to determine whether appropriate actions have been taken by management in a timely manner.

21


Execute a risk-based IS audit strategy in compliance with IS audit standards to ensure that key risk areas are audited.

22


Key Terms Key Term

Definition

Key Term

Definition

Information systems (IS)

The combination of strategic, managerial and operational activities involved in gathe ring, processing, storing, distributing and using information and its related technologies. Information systems are distinct from information technology (IT) in tha t an information system has an IT component that interacts with the process components.

Guideline

A description of a particular way of accomplishing something that is less prescriptive than a procedure.

Tools and techniques

Tools and techniques provide examples of processes an IS auditor might follow in an audit e ngagement. The tools and techniques documents provide information on how to meet the standards when completing IS auditing work but do not set requirements.

Standard

23

A mandatory requirement, code of practice or specification approved by a recognized external standards organization, such as International Organization for Standardization (ISO).



24


6



Task to Knowledge Statements How does Task 1.1 relate to each of the following knowledge statements?

How does Task 1.1 relate to each of the following knowledge statements?

Knowledge Statement

Connection

Knowledge Statement

Connection

K1.1 Knowledge of ISACA IS Audit and Assurance Standards, Guidelines, and Tools and Techniques, Code of Professional Ethics and other applicable standards

In order to meet both the goals and objective of an IS audit and the integrity of the work product that supports the IS audit, the IS auditor must know and understand the core ISACA IS Audit and Assurance Standards, Guidelines, and Tools and Techniques, and Code of Professional Ethics.

K1.3 Knowledge of fundamental business processes (e.g., purchasing, payroll, accounts payable, accounts receivable) and the role of IS in these processes

Only through a clear understanding of the underlying business processes can the IS auditor truly understand the scope, purpose and focus for each IS audit engagement.

K1.5 Knowledge of risk-based audit planning and audit project management techniques, including follow-up

The IS auditor must use well-developed project management techniques from planning through audit f ollow-up activities to reasonably assure the timely and effective completion of IS audit engagements.

K1.2 Knowledge of risk assessment concepts, and tools and techniques in planning, examination, reporting and follow-up

All IS auditors must be able to accurately and efficiently use risk assessment techniques to ensure the IS audit is profiles.

25

27


26




Knowledge Statement

Connection

Knowledge Statement

Connection

K1.6 Knowledge of applicable laws and regulations that affect the scope, evidence collection, and preservation and frequency of audits

On all IS audit engagements, legal (to include contracts with business partners) and regulatory requirements must be part of the IS audit process. These requirements affect how often and how many IS audits are performed and also how the audit obtains, collects and protects evidence, reporting and follow-up.

K 1.11 Knowledge of various types of audits (e.g., internal, external, financial) and methods for assessing and placing reliance on the work of other auditors or control entities

professional career, he/she will be asked to lead and/or participate in a variety of IS and associated audits, investigations, surveys and reviews.

K1.10 Knowledge of audit quality assurance systems and frameworks

Through the understand of quality assurance systems and frameworks, the IS auditor can: Integrate the validated qualit y assurance system (QAS) work product into the IS audit. Incorporate auditee QAS tools within the recommendations to address monitoring deficiencies.



28


7


IS Audit Function


IS Auditor Skills

IS auditing is the formal examination, interview and/or testing of information systems to determine whether: o

o

o

29

ISACA IS Audit and Assurance Standards require that the IS auditor be technically competent (1006 Proficiency).

Information systems are in compliance with applicable laws, regulations, contracts and/or industry guidelines.

This is achieved through continuing education. CISA candidates do NOT need to memorize the ISACA IS Audit and Assurance Standards, Guidelines, and Tools and Techniques, but they must be able to apply the standard, guideline or ISACA Code of Professional Ethics in a given situation.

IS data and information have appropriate levels of confidentiality, integrity and availability. IS operations are being accomplished efficiently, and effectiveness targets are being met.


30


Code of Professional Ethics 1. Support the implementation of, and encourage compliance with, appropriate standards, procedures for the effective governance and management of enterprise information systems and technology, including audit, control, security and risk management.

4. Maintain the privacy and confidentiality of information obtained in the course of their activities unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.

2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards.

5. Maintain competency in their respective fields, and agree to undertake only those activities they can reasonably expect to complete with the necessary skills, k nowledge and competence.

3. Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and character, and not discrediting their profession or the Association.

31



32


8



Standards and Guidelines 6. Inform appropriate parties of the results of work performed, including the disclosure of all si gnificant facts known to them that, if not disclosed, may distort the reporting of the results.

There are three categories of standards and guidelines: Category General (Guiding principles)

7. Support the professional education of stakeholders in enhancing their understanding of the governance and management of enterprise information systems and technology, including audit, control, security and risk management.

33


34

Description Apply to the conduct of all assignments, and deal with ethics, independence, objectivity and due care as well as knowledge, competency and skill

Performance

Deal with the conduct of the assignment, such as planning and supervision, scoping, risk and materiality, resource mobilization, supervision and assignment management, audit and assurance evidence

Reporting

Address the types of reports, means of communication and the information communicated


Standards Failure to comply with these standards may result in an investigation into the CISA by the ISACA Board of Directors or appropriate ISACA group and, ultimately, in disciplinary action.

Standards contain statements of mandatory requirements. These standards inform: o

o

o

IS audit and assurance professionals of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics Management and other interested parties of the concerning the work of practitioners Holders of the CISA designation of their requirements

General

Performance

Reporting

1001 Audit Charter

1201 Engagement Planning

1401 Reporting

1002 Organizational Independence

1202 Risk Assessment in Planning

1402 Follow-up Activities

1003 Professional Independence

1203 Performance and Supervision

1004 Reasonable Expectation

1204 Materiality

1005 Due Professional Care

1205 Evidence

1006 Proficiency

1206 Using the Work of Other Experts

1007 Assertions

1207 Irregularity and Illegal Acts

1008 Criteria

35



36


9



Guidelines The objective of the ISACA IS Audit and Assurance Guidelines is to provide guidance and additional information on how to comply with the ISACA IS Audit and Assurance Standards. The IS auditor and assurance professional should: o

o

o

37

Consider these guidelines in determining how to implement the standards. Use professional judgment in applying the guidelines to specific audits.

General

Performance

Reporting

2001 Audit Charter

2201 Engagement Planning

2401 Reporting

2002 Organizational Independence

2202 Risk Assessment in Planning

2402 Follow-up Activities

2003 Professional Independence

2203 Performance and Supervision

2004 Reasonable Expectation

2204 Materiality

2005 Due Professional Care

2205 Evidence

2006 Proficiency

2206 Using the Work of Other Experts

2007 Assertions

2207 Irregularity and Illegal Acts

2008 Criteria

2208 Sampling

Be able to justify any departure from the ISACA IS Audit and Assurance Standards.


38


Tools and Techniques ITAFTM is a reference model that establishes standards, defines terms and provides guidance on the planning, conduct and reporting of IS auditing and assurance assignments.

The tools and techniques documents provide information on how to meet the standards when performing IS auditing work but do not set requirements. Tools and techniques documents include: o

White papers Audit/Assurance programs

o

COBIT 5 family of products

o

Technical and Risk Management Reference series

o

ISACA Journal IT Audit Basics

o

39



40


10



Relationship

Must be followed by the IS auditor

Laws and Regulations

Guidelines Provide assistance on how the auditor can implement standards

Standards

Certain industries, such as banks and internet service providers (ISPs), are closely r egulated. These legal regulations may pertain to financial, operational and IS audit functions.

Provide examples of steps an auditor may follow to implement standards

There are two areas of concern that impact the audit scope and objectives: o

Tools & Techniques

o

Legal requirements placed on the audit Legal requirements placed on the auditee and its systems, data management, reporting, etc.

There may be cases where the legal/regulatory requirements are more stringent than the ISACA IS Audit and Assurance Standards. 41


42


Laws and Examples include: o

o

US Sarbanes-Oxley Act of 2002

o

Basel Accords

o

IS auditor must:

US Health Insurance Portability and Accountability Act (HIPAA)

o

Identify those government or other relevant external requirements dealing with: Electronic data, personal data, copyrights, e-commerce, e-signatures, etc. Computer system practices and controls

Protection of Personal Data Directives and Electronic Commerce within the European Community

The manner in which computers, programs and data are stored The organization or the activities of i nformation technology services IS audits

43



44


11


Laws and


CSA

Also, an IS auditor would per form these additional steps t o compliance: o o

o

o

o

45

Control self-assessment (CSA) is an assessment of controls made by the staff and management to assure stakeholders, customers and other parties of the internal controls.

Document applicable laws and regulations. Assess whether management and the IT function have considered the relevant external requirements in their plans, policies, standards and procedures, as well as business application features.

It can consist of si mple questionnaires to f acilitated workshops.

Review internal IT department/function/activity documents that address adherence to laws applicable to the industry.

Tools include: o Management meetings

Determine adherence to procedures that address these requirements. Determine if there are procedures in place to ensure contracts or agreements with external IT services providers reflect any legal requirements related to responsibilities.


CSA Objectives

46

Worksheets

o

Rating sheets


Early detection of risk More effective and improved internal controls Creation of cohesive teams through employee involvement Developing sense of ownership Increased employee awareness Increased communication Improved audit rating process Reduction in control cost Assurance provided to stakeholders and customers

in assessing their environment by providing insight about the objectives of controls based on the ri sk assessment.


o

Advantages

CSA empowers workers to assess or even design the control environment.


Client workshops

CSA Pros and Cons

The primary objective is to l everage the internal audit function by shifting some of the control monitoring responsibilities to the functional areas.

47

o

48

Disadvantages Mistaken as an audit function replacement Regarded as an additional workload Failure to act on improvement suggestions could damage employee morale Lack of motivation may limit effectiveness in the detection of weak controls


12


Traditional vs. CSA Traditional Assigns duties/supervises staff

In the Big Picture

Empowered/accountable employees Continuous improvement/learning curve

Limited employee participation

Extensive employee participation and training

Auditors and other specialists

Each task in the five domains contributes to the big picture of IS audit and control. The following shows one such connection. Can you think of others?

CSA

Policy/rule-driven

Narrow stakeholder focus


Task 1.1 Execute a risk-based IS audit strategy in compliance with IS audit standards to ensure that key risk areas are audited.

Broad stakeholder focus Staff at all levels, in all functions, are the primary control analysts.

The Big Picture Through a focused risk-based approach, the IS auditor will focus on those areas most important to the organization.

Source: ISACA, CISA Review Manual 26 th Edition, figure 1.12

49


Discussion Question

50


Discussion Question

Due to resource constraints of the IS audit team, the audit plan as originally approved cannot be completed. Assuming that the situation is communicated in the audit report, which course of action is MOST acceptable?

Although management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should FIRST:

A. Test the adequacy of the control design.

A. include the statement from management in the audit report.

B. Test the operational effectiveness of controls.

B. verify the software is in use through testing. C. include the item in the audit report.

C. Focus on auditing high-risk areas. D. Rely on management testing of controls.

D. discuss the issue with senior management because it could have a negative impact on the organization.

51



52


13


Task 1.2


Key Terms Key Term

Plan specific audits to determine whether information systems are protected, controlled and provide value to the organization.

53


54

Definition

Audit plan

A plan containing the nature, timing and extent of audit procedures to be performed by engagement team members in order to obtain sufficient appropriate audit evidence to form an opinion; includes the areas t o be audited, the type of work planned, the high -level objectives and scope of the work and topics such as budget, resource allocation, schedule dates, type of report and its intended audience, and other ge neral aspects of the work

Audit risk

The probability that information or financial reports may contain material errors and that the auditor may not detect an error that has occurred


Task to Knowledge Statements Key Term Audit universe

Reasonable assurance

55

Definition


An inventory of audit areas that is compiled and maintained to identify areas for audit during the audit planning process A level of comfort short of a guarantee but considered adequate given the costs of the control and the likely benefits achieved



56

Knowledge Statement

Connection

K1.1 Knowledge of ISACA IS Audit and Assurance Standards, Guidelines, Tools and Techniques, Code of Professional Ethics and other applicable standards

By following ISACA standards and guidelines for planning, the IS audit organization charter will charge the IS auditor to always consider the protection of IS systems and the value derived from the systems within all IS audit engagements.


In order to ensure the IS audit focuses on the most important IS security, operations, functions and capabilities being reviewed, the IS auditor must be able to effectively and efficiently assess the risk to these objectives.


14


57




Knowledge Statement

Connection

Knowledge Statement

Connection


Only through a thorough understanding of the business processes supported by the IS can the IS auditor properly plan the IS audit engagement.


K1.4 Knowledge of control principles related to controls in information systems

The controls that should be in place and the scope of the IS audit are based on the inherent risk associated with the business processes supported by IS and the IS systems themselves.

Using risk assessments performed by the organization along with project management techniques, the IS auditor can properly focus time and resources needed to assess IS processes required to protect and deliver value to the organization.

K1.6 Knowledge of applicable laws and regulations that affect the scope, evidence collection, and preservation and frequency of audits

Specific laws and regulations will require specific system, process, data and information protections (controls) that must be assessed by the IS auditor.


58


Audit Planning How does Task 1.2 relate to each of the following knowledge statements?

The first step in performing an IS audit is adequate planning.

Knowledge Statement

Connection

To plan an audit, the following tasks must be completed:

K1.10 Knowledge of audit qu ality assurance systems and frameworks

Using the correct quality assurance construct will assist the IS auditor in ensuring the scope and purpose are aligned with system protection and value delivery.

K1.11 Knowledge of various types of audits (e.g., internal, external, financial) and methods for assessing and placing reliance on the work of other auditors or control entities

59

Based on the type and complexity of the business processes and IS systems the IS auditor has been assigned to audit, he/she will need to select the correct IS audit approach to ensure the protection of the data, information and IS supporting the processes under audit.



o

List all the processes that may be considered for the audit. Evaluate each process by performing a qualitative or quantitative risk assessment. These evaluations should be based on objective criteria.

o

Define the overall risk of each process.

o

o

60

Construct an audit plan to include all of the processes that are rated annual audit plan.


15



When To Audit Audit planning includes short-term and long-term planning. o

o

61

In addition to a yearly analysis of short-term and long-term issues, individual audits may be conducted based on the following:

Short-term planning involves all audit issues that will be covered during the year.

o

Long-term planning takes into account all risk-related

o

strategic direction.

o


62

New control issues Changes in risk environment, technologies and business processes Enhanced evaluation techniques


Audit Planning Steps In order to plan an audit, the IS auditor must have an understanding of the overall environment under review. To accomplish this task, the IS auditor should: o

o

o o

63

Gain an understanding of the objectives, purpose and processes.

Also, to plan for an audit, the IS auditor should: o

mission,

Understand changes in business environment of the auditee. Review prior work papers.

Perform a risk analysis to help in designing the audit plan.

o

Set the audit scope and audit objectives.

o

Develop the audit approach or audit strategy.

o

Assign personnel resources to the audit.

o

Address engagement logistics.

Identify stated contents, such as policies, standards and required guidelines, procedures and organization structure.



64


16



Additional Considerations The audit plan should take into consideration the objectives of the IS audit relevant to the audit area and its technology infrastructure and business strategic direction. The IS auditor can gain this i nformation by: o

o

o

65

Other ways the IS auditor can gain this information include: o

Reading background material, including industry publications, annual reports and independent financial analysis reports

o

Touring key organization facilities

The IS auditor must also match available audit resources, such as staff, with the tasks defined in the audit plan.

Reviewing business and IT long-term strategic plans


o

Identifying specific regulations applicable to IT Identifying IT functions or related activities that have been outsourced

o

Reviewing prior audit reports or IT-related reports (from external or internal audits, or specific reviews such as regulatory reviews)

Interviewing key managers to understand business issues

66


Risk Analysis During audit planning, the IS auditor must perform or review a risk analysis to identify risks and vulnerabilities in order to determine the controls needed to mitigate those risks. o o

o

o

67

IS auditors are often focused on high-risk issues associated with confidentiality, integrity and availability of sensitive and critical information.

Understand the rel ationship between risk and control. Identify and differentiate risk types and the controls used to mitigate the risk. Evaluate risk assessment and management techniques used by the organization. Understand that risk exists as part of the audit process.



68


17


Risk Management Process


Risk Response Risk Response Options Risk mitigation Applying appropriate controls to reduce the risk Risk acceptance Knowingly and objectively not taking action, providing the risk c learly risk acceptance Risk avoidance Avoiding risk by not allowing actions that would cause the risk to occur Risk transfer/sharing Transferring the associated risk to other parties


69


Risk Assessment

70

Risk Assessment Process Using risk assessment to determine areas to be audited:

A risk assessment assists the IS auditor in identifying risk and threats to an IT environment and IS system, and it helps in the evaluation of controls.

o

Risk assessments should identify, quantify and prioritize risk against criteria for risk acceptance and objectives relevant to the organization.

o

o

It supports risk-based audit decision making by considering variables, such as: o Technical complexity

71

o

Level of control procedures in place

o

Level of financial loss




o

72

Enables management to effectively allocate limited audit resources Ensures that relevant information has been obtained from all levels of management

Prepare for Assessment

Conduct Assessment Identify Threat Sources and Events

Communicate Results

Establishes a basis for effectively managing the audit department Provides a summary of how the individual audit subject is related to the overall organization as well as to the business plans

IdentifyVulnerabilitiesa ndPredisposingConditions

Maintain Assessment

Determine Likelihoodof Occurrence

Determine Magnitude of Impact

Determine Risk

Source: National Institute of Standards and Technology (NIST), NIST Special Publication 800-30, Revision 1: Information Security, USA, 2012. Reprinted courtesy of the National Institute of Standards and Technology, U.S. Department of Commerce. Not copyrightable in the United States.


18



Risk-based Auditing

Internal Controls Internal controls are normally composed of policies, procedures, practices and organizational structures that are implemented to reduce risk to the organization.

Gather Information and Plan Knowledge of business and industry

Regulatory statutes Inherent risk assessments

Recent financial information

Obtain Understanding of Internal Control Control environment Control procedures Detection risk assessment

Internal controls should address:

Control risk assessment Equate total risk

o

Perform Compliance Tests Identify key controls to be tested.

o

Perform tests on reliability, risk prevention and adherence to organization policies and procedures.

What should be achieved? What should be avoided?

Perform Substantive Tests Analytical procedures Detailed tests of account balances

Other substantive audit procedures

Conclude the Audit Create recommendations. Source: ISACA,

73

Write audit report.

CISA Review Manual 26 th Edition, figure 1.8


Control Classification Class

74

IS Control Objectives

Function

Preventive

Detect problems before they arise. Monitor both operation and inputs. Attempt to predict potential problems before they occ ur and make adjustments. Prevent an error, omission or malicious act from occurring. Segregate duties (deterrent factor). Control access to physical facilities. Use well-designed documents (prevent errors).

Detective

Use controls that detect and report the occurrence of an error, omission or malicious act.

Corrective

Minimize the impact of a threat. Remedy problems discovered by detective controls. Identify the cause of a problem. Correct errors arising from a problem. Modify the processing system(s) to minimize future occurrences of the problem.


IS control objectives are statements of the desired result achieved by implementing controls. They provide reasonable assurance that the business objectives will be achieved and undesired events will be prevented, detected or corrected.


75



76


19



General Controls IS control objectives may also i nclude: o o

o

o

o o o

77

General controls include:

Safeguarding assets

Internal accounting controls that concern the safeguarding of assets and reliability of financial information Operational controls that concern day-to-day operations, functions and activities Administrative controls that concern operational efficiency in a functional area and adherence to management policies Organizational security policies and procedures to ensure proper usage of assets Overall policies for the design and use of adequate documents and records Access and use procedures and practices Physical and logical security policies for all facilities

System development life cycle (SDLC) processes are established, in place and operating effectively Integrity of general operating system (OS) environments Integrity of sensitive and critical application system environments Appropriate identification and authentication of users The efficiency and effectiveness of operations Integrity and reliability of systems by implementing effective change management procedures


78


IS Specific Controls Each general control can be translated into an IS-specific control. The IS auditor should understand IS controls and how to apply them in planning an audit.

Additional IS control procedures include: o o

IS control procedures include: o o

o o

Strategy and direction of the IT function General organization and management of the IT function

Quality assurance (QA) procedures

o

Physical access controls

o



80

Business continuity planning (BCP)/disaster recovery planning (DRP)

o

Networks and communications

o

Database administration

o

79

Systems programming and technical support functions

o

Access to IT resources, including data and programs Systems development methodologies and change control

Operations procedures

Protection and detective mechanisms against internal and external attacks


20



COBIT 5

Types of Audits Type

comprehensive framework for governance and management of enterprise IT. It helps enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use.

Compliance audits

1.Meeting stakeholder needs

5. Separating governance from management

2. Covering the enterprise end-to-end

COBIT 5 Principles

Financial audits 4.Enabling a holistic approach

3.Applying a single integrated framework

Description Compliance audits include specific tests of controls to demonstrate adherence to specific regulatory or industry standards. Examples include Payment Card Industry Data Security Standard (PCI DSS) audits for companies that process credit card data and Health Insurance Portability and Accountability Act (HIPAA) audits for companies that handle health care data. The purpose of a financial audit is to assess the accuracy of financial reporting. It often involves d etailed, substantive testing, although increasingly, auditors are placing more emphasis on a risk- and control-based audit ap proach. This kind of audit relates to financial information integrity and reliability.

Source: ISACA, COBIT 5, USA, 2012, figure 2

81


Type Operational audits Administrative audits IS audit s

83

82

Description

Type

An operational audit is designed to evaluate the internal control structure in a given process or area. Examples include IS audits of application controls or logical security systems.

Integrated audits

This process collects and evaluates evidence to determine whether the information systems and related resources adequately safeguard assets, maintain data and system integrity and availability, provide relevant and reliable information, achieve organizational goals effectively, and consume resources efficiently. Also, do they have, in effect, internal controls that provide reasonable assurance that business, operational and control objectives will be met and that undesired events will be prevented, or detected and corrected, in a timely manner.


Description

Forensic audits Forensic auditing has been defined as auditing specialized in discovering, disclosing and following up on fraud and crimes. The primary purpose of such a review is the development of evidence for review by law enforcement and judicial authorities.

These are oriented to assess issues related to the efficiency of operational productivity within an organization.



An integrated audit combines financial and operational audit steps. It is performed to assess the overall objectives within safeguarding, efficiency and compliance.

84


21



Integrated Audit An integrated audit focuses on risk. It involves a team of auditors with different skill sets working together to provide a comprehensive report.

The process typically involves: o

Operational Audit

o

Financial Audit

o

o

IS Audit o

o

Identification of risk faced by the organization for the area being audited Identification of relevant key controls Review and understanding of the design of key controls Testing that key controls are supported by the IT system


Financial Audit

IS Audit

Testing that management controls operate effectively A combined report or opinion on control risk, design and weaknesses


85

Operational Audit


86


Continuous Auditing Continuous auditing is characterized by the short time lapse between the audit, the collection of evidence and the audit reporting.

This process must be carefully built into the business applications and may include IT techniques such as:

It results in better monitoring of fi nancial issues, such as fraud, ensuring that real-time transactions benefit from real-time monitoring. Continuous auditing should be independent of continuous controls and continuous monitoring.

87



88

o

Transaction logging

o

Query tools

o

Statistics and data analysis (CAAT)

o

Database management systems (DBMS)

o

Intelligent agents


22


Continuous


Audit Methodology

For continuous auditing to succeed, it n eeds to have: o

A high degree of automation.

o

Alarm triggers to report timely control failures.

o

o

o o

89

An audit methodology is a set of documented audit procedures designed to achieve planned audit objectives. Its components are a statement of scope, audit objectives and audit programs.

Implementation of highly automated audit tools that require the IS auditor to be involved in setting up the parameters.

Each audit department should design and approve an audit methodology that is formalized and communicated to all audit staff.

The ability to quickly inform IS auditors of the results of automated procedures, particularly when the process has identified anomalies or errors.

An audit program should be developed to serve as a guide for performing and documenting all of the audit steps, and the extent and types of evidential matter reviewed.

Quick and timely issuance of automated audit reports. Technically proficient IS auditors.

o

Availability of reliable sources of evidence.

o

Adherence to materiality guidelines.


90


Audit Phases Audit Phase

Description

Audit subject

Identify the area to be audited.

Audit objective

Identify the purpose of the audit.

Audit scope

Identify the specific systems, function or unit of the organization to be included in the review.

Preaudit planning

Audit Phase Audit procedures and steps for data gathering

Identify technical skills and resources needed. Identify the sources of inf ormation for test or review, such as functional flow charts, policies, standards, p rocedures and prior audit work papers. Identify locations or facilities to be audited. Develop a communication plan at the beginning of each engagement that describes who to communicate to, when, how often and for what purpose(s).

Procedures for evaluating the test or review results

Description Identify and select the audit approach to verify and test the controls. Identify a list of ind ividuals to interview. Identify and obtain departmental policies, standards and guidelines for review. Develop audit tools and methodology to test and verify control. Identify methods (including tools) to perform the evaluation. Identify criteria for evaluating the test (similar to a test script for the IS auditor to use in conducting the evaluation). Identify means and resources to confirm the evaluation was accurate (and repeatable, if applicable).



91

92




23



In the Big Picture Audit Phase Procedures for communication with management Audit report preparation

Description Determine frequency of communication. Prepare documentation for final report.

Task 1.2

Disclose follow-up review procedures. Disclose procedures to evaluate/test operational efficiency and effectiveness. Disclose procedures to test controls. Review and evaluate the soundness of documents, policies and procedures.

Plan specific audits to determine whether information systems are protected, controlled and provide value to the organization.

The Big Picture The IS auditor will always focus on the protection of critical data, information and IS components that are of greatest value to the organization.


93


Discussion Question

94


Discussion Question An IS auditor is determining the appropriate sample size for testing the existence of program change approv als. Previous audits did not indicate any exceptions, and management has confirmed that no exceptions have been repor ted for the review period. In this context, the IS auditor can adopt a:

The internal IS audit team is auditing controls over sales returns and is concerned about fraud. Which of the following sampling methods would BEST assist the IS auditors? A. Stop-or-go

A. lower confidence coefficient, resulting in a smaller sample size.

B. Classical variable C. Discovery

B. higher confidence coefficient, resulting in a smaller sample size.

D. Probability-proportional-to-size

C. higher confidence coefficient, resulting in a larger sample size. D. lower confidence coefficient, resulting in a larger sample size. 95



96


24


Task 1.3


Key Terms Key Term

Conduct audits in accordance with IS audit standards to achieve planned audit objectives.

97


Definition

Audit evidence

The information used to support the audit opinion.

Audit objective

The specific goal(s) of an audit. These often center on substantiating the existence of internal controls to minimize business risk.

Audit program

A step-by-step set of audit procedures and instructions that should be performed to complete an audit.

Computer-assisted audit technique (CAAT)

98

Any automated audit technique, such as generalized audit software (GAS), test data generators, computerized audit programs and specialized audit utilities.


Task to Knowledge Statements Key Term

Definition

Evidence

The information an IS auditor gathers in the course of performing an IS audit; relevant if it pertains to the au dit objectives and has a logical relationship to the fin dings and conclusions it is used to support.

Materiality

99

An auditing concept regarding the importance of an item of information with regard to its impact or effect on the functioning of the entity being audited; an expression of the relative significance or importance of a particular matter in the context of the organization as a whole.



How does Task 1.3 relate to each of the following knowledge statements? Knowledge Statement

Connection


Only through fol lowing the ISACA established and industry accepted IS audit and assurance standards and guidelines will the IS auditor be able to reasonably ensure both work product integrity and acceptance by all interested stakeholders.


The IS auditor must focus on the risks to

100

data, information and critical system components to reasonably ensure the IS audit will achieve its stated purpose.


25





Knowledge Statement

Connection

Knowledge Statement

Connection


of the business process being supported by the IS provides reasonable assurance the IS audit will achieve the intended IS audit objectives.


Knowing your key risks will enable you to focus on the key objectives for the IS audit; hence, you will meet the primary objectives for the engagement.


The IS auditor will need to address the key controls required to address the critical risks to business processes and the IS supporting the processes along with data and information.

101


K1.6 Knowledge of applicable laws and Almost all IS audits will involve both legal regulations that affect the scope, evidence and regulatory compliance aspects. collection, and preservation and frequency These should always be a consideration in of audits the IS audit engagement objectives.

102




Knowledge Statement

Connection

Knowledge Statement

Connection

K1.7 Knowledge of evidence collection techniques (e.g., ob servation, inquiry, inspection, interview, data analysis, forensic investigation techniques, computer-assisted audit techniques [CAATs]) used to gather, pr otect and preserve audit evidence

In order to meet the stated business objectives, the evidence must be obtained, collected, analyzed and evaluated in the most efficient and effective manner while always protecting its integrity. Through the use of IS audit tools and techniques, the IS audit can realize these requirements.

K1.9 Knowledge of reporting and communication techniques (e.g., facilitation, negotiation, conflict resolution, audit report structure, issue writing, management summary, result verification)

The IS auditor must establish and maintain clear and effective lines of communication from the planning through follow-up stages of all IS audit engagements.


K1.8 Knowledge of different sampling methodologies and other substantive/data analytical procedures

Beyond the sheer volume of data and data sources an IS auditor is facing on each engagement, the IS auditor must ensure sampling techniques are used that enable the analysis to be representative of the overall transactional population (both IS system and business operations).

There may be guidelines and additional audit procedures that an IS auditor may wish to add in order to develop an opinion on the proper functioning of controls.

103



104


26



IS Audit Steps How does Task 1.3 relate to each of the following knowledge statements? Knowledge Statement

Connection


Recognizing that many recent, current and upcoming audits may provide adequate depth and coverage of areas

Define the audit scope. Formulate the audit objectives. Identify the audit criteria.

could enable the IS auditor to place

Perform audit procedures.

the standards of professional practice and testing needed to provide reasonable assurance that the IS controls are operating eff ectively, efficiently and are aligned with both current and planned organizational goals and objectives.

105


IS Audit Project Management

Review and evaluate evidence. Form audit conclusions and opinions. Report to management after discussion with key process owners. 106

Internal vs. External Audits

Plan the audit engagement. Plan the audit considering project-specific risk.

Build the audit plan. Chart the necessary audit tasks across a time line, optimizing resource use. Make realistic estimates of the time requirements for each task with proper c onsideration given t o the availability of the auditee.

Execute audit tasks against the plan.

The scope and objectives of the audit function within the organization and is not specific to a particular IS audit.

The scope and objectives of the audit are documented in a formal contract or statement of work.

assignment. It does not replace an audit charter.

IS auditors report their actual progress against planned audit steps to ensure challenges are managed proactively and the scope is completed within time and budget.


External Audit

An engagement letter is a formal document which defines an IS

Monitor project activ ity.


Internal Audit

The audit charter is a document approved by those c harged with governance that defines the purpose, authority and responsibility of the internal audit activity. It must be approved by the highest level of management or the audit committee.

Execute the plan.

107


108


27


Audit Objectives


Audit Risk

A key element in IS audit planning is translating basic audit objectives into specific IS audit objectives.

Audit risk can be defined as the risk that information may contain a material error that may go undetected during the course of the audit.

Audit objectives refer to the specific goals that must be accomplished by the audit. They are often focused on validating that internal controls exist and are effective at minimizing business risk.

109


110

Audit risk is influenced by: o

o


The IS auditor should have a good understanding of audit risk when planning an audit.

Inherent risk the risk level or exposure of the process/entity to be audited without taking into account the controls that management has implemented

Proper sampling procedures and strong quality control processes can minimize detection risk.

risk that a material error exists that would not be prevented or detected on a timely basis by the system of i nternal controls

o

misstatements have occurred that will not be detected by the IS auditor o

contain material errors 111



112


28


Audit Programs


Program Procedures

An audit program is a step-by-step set of audit procedures and instructions that should be performed to complete an audit.

General Audit Procedures Obtaining and recording an understanding of the audit area/subject A risk assessment and general audit plan and schedule Detailed audit planning Preliminary review of the audit area/subject Evaluating the audit area/subject Verifying and evaluating the appropriateness of controls designed to meet control objectives Compliance testing Substantive testing Reporting Follow-up

Audit programs are based on the scope and objective of the particular assignment. It is the audit strategy and plan. It identifies scope, audit objectives and audit procedures to obtain sufficient, relevant and reliable evidence to draw and support audit conclusions and opinions.

113


Fraud Detection

114

o

Tests of control designed to obtain audit evidence on both the effectiveness of the controls and their operation during the audit period.

Substantive testing: o Obtaining audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period.

The IS auditor should be aware of potential legal requirements concerning the implementation of specific fraud detection ISACA IS Audit and Assurance procedures and reporting Standard 1005 Due fraud to appropriate Professional Care authorities.



Compliance testing:

Legislation and regulations relating to corporate governance cast significant responsibilities on management, auditors and the audit committee regarding detection and disclosure of any fraud, whether material or not.


The use of generalized audit software to survey the contents of data files (including system logs) The use of specialized software to assess the contents of OS database and application parameter files Flow-charting techniques for documenting automated applications and business processes The use of audit logs/reports available in operation/application systems Documentation review Inquiry and observation Walk-throughs Reperformance of controls

Testing Methods

The presence of internal c ontrols does not altogether eliminate fraud.

115

Procedures for Testing and Evaluating IS Controls

116


29



Testing Process

Evidence

This figure shows the relationship between compliance and substantive testing and describes the two categories of substantive tests.

Evidence is any information used by ISACA IS Audit and the IS auditor to determine whether Assurance Standard the entity or data being audited follows 1205 Evidence the established criteria or objectives and supports audit conclusions. Some types of evidence are more reliable than others. Reliability is determined by: o The independence of the evidence provider o The qualifications of the evidence provider o The objectivity of the evidence o The timing of t he evidence The IS auditor must focus on the objectives of the audit and not on the nature of the evidence. Evidence is considered competent when it is both v alid and relevant.


117


118

Interviews and Observations

Evidence Gathering Techniques Review IS organizational structures.

Review IS documentation.

Review IS policies and procedures. Interview appropriate personnel.

Conduct a reperformance.

119

Observing personnel in the performance of their duties assists an IS auditor i n identifying:

Review IS standards.

Actual functions

Observe processes and employee performances.


Actual processes/ procedures

Security awareness

Reporting relationships

Note that personnel may change their behavior if they know they are being observed. Therefore, combine observations with interviews, which can provide adequate assurance that personnel have the required technical skills.

Conduct walkthroughs.



120


30



Sampling

Sampling Methods

Sampling is used when time and cost constrain the ability to test all transactions or events.

Attribute sampling o

There are two approaches to sampling: Statistical sampling uses an objective method to determine the sample size and selection criteria. o Non judgment to determine the sample size and selection criteria. o

121


o

o

122

Deals with the presence or absence of an attribute Expressed in rates of incidence

Proportional Attribute sampling Stop-or-go sampling Discovery sampling

Generally used in compliance testing


Sampling Key Terms Variable sampling o

o

o

123

Deals with population characteristics that vary, such as monetary values and weights

Variable Stratified mean per unit Unstratified mean per unit Difference estimation

Provides conclusions related to deviations from the norm Generally used in substantive testing



Term

Definition

Confidence coefficient

A percentage expression of the probability that the charac teristics of the sample are a true representation of the population. The greater the confidence coefficient, the larger the sample size.

Level of risk

Equal to one minus the confidence coefficient. For example, if the confidence coefficient is 95 percent, the level of risk is five percent.

Precision

Set by the IS auditor, it represents the acceptable range difference between the sample and the actual population.

Expected error rate

An estimate stated as a percent of the err ors that may exist. The greater the expected error rate, the greater the sample size. Applied to attribute sampling only.

124


31



Sampling Steps Term

Definition

Sample mean

The sum of all sample values divided by the size of the sample. The sample mean measures the average value of the sample.

Sample standard deviation

Computes the variance of the sample values from the mean of the sample. Sample standard deviation measures the spread or dispersion of the sample values.

Tolerable error rate

Describes the maximum misstatement or number of errors that can exist without an account being materially misstated. It is used for the planned upper limit of the precision range for compliance testing. The term is expressed as a percentage.

Population standard deviation

A mathematical concept that measures the relationship to the normal distribution. The greater the standard deviation, the larger the sample size. Applied to variable sampling form ulas only.

Determine the objectives.

Define the population.

Determine the method.

Evaluate the sample.

Select the sample.

Calculate the sample size.

Source: ISACA, Fundamentals of IS Audit and Ass urance Training Course, USA, 2014

125


126


CAATs CAATs help IS auditors collect sufficient, relevant and useful evidence that may only exist in electronic form.

CAATs include many tools and techniques, such as: o

They are particularly useful when auditing systems that have different hardware and software environments, data structures, record formats or processing functions.

o o

Generalized audit software (GAS) Utility software Debugging and scanning software

Test data o Application software tracing and mapping o

o

127



128

Expert systems


32



CAAT Considerations

Evaluation of Controls

Before the use of a CAAT, consider: o

Ease of use, both for existing and future audit staff

o

Training requirements

o

Complexity of coding and maintenance

o

Flexibility of uses

o

Installation requirements

o

Processing efficiencies (especially with a PC CAAT)

o

Effort required to bring the source data into the CAATs for analysis

o

o

129

The IS auditor should always review for compensating controls before reporting control weaknesses. The IS auditor must keep the concept of materiality in mind and judge what would be significant to different levels of management.

Ensuring the integrity of imported data by safeguarding their authenticity Recording the time stamp of data downloaded at critical processing points to sustain the credibility of the review

o

Obtaining permission to install the s oftware on the auditee servers Reliability of the software

o

Confidentiality of the data being processed

o

After gathering evidence, the IS auditor can use a control matrix to assess the strengths and weaknesses of the controls and determine if they are effective at meeting the control objectives.


130

In the Big Picture


Discussion Question Which of the following is the BEST factor for determining the required extent of data collection during the planning phase of an IS compliance audit?

Task 1.3 Conduct audits in accordance with IS audit standards to achieve planned audit objectives.

131

The Big Picture

A. B. Findings and issues noted from the prior year C. Purpose, objective and scope of the audit

ISACA IS Audit and Assurance Standards provide consistent and proven industry-accepted methods and techniques to achieve the IS audit objectives.



D.

132


33


Discussion Question


Task 1.4

Which of the following does a lack of adequate controls represent? A. An impact B. A vulnerability

Communicate audit results and make recommendations to key stakeholders through meetings and audit reports to promote change when necessary.

C. An asset D. A threat

133


Key Terms Key Term

134



Definition

Audit report management. Stakeholder

135

Anyone who has a responsibility for, an expectation from or some other interest in the enterprise.



Knowledge Statement

Connection

K1.1 Knowledge of ISACA IS Audit and Assurance Standards, Guidelines, and Tools and Techniques, Code of Professional Ethics and other applicable standards

Knowledge of the ISACA IS Audit and Assurance Standards, Guidelines, and Tools and Techniques enable the IS auditor to establish clear and effective communications to the key stakeholders.


Using a risk-based approach will enable the IS auditor to communicate the most relevant and critical information throughout the IS audit engagement.

136


34





Knowledge Statement

Knowledge Statement

Connection

K1.6 Knowledge of applicable laws and regulations that affect the scope, evidence collection and preservation, and frequency of audits

Based on specific legal and regulatory requirements applicable to the IS audit, the IS auditor will provide relevant reporting as to compliance with these requirements and enable stakeholders to take required actions to ensure compliance.


137

Connection business processes along with the business specific terminology will enable clear and effective communications to the key stakeholders.


138




Knowledge Statement

Connection

Knowledge Statement

Connection


The IS auditor must be able to speak to all levels of the organization to explain the results of the IS audit. The line management through the board of directors each have their specific needs for information related to the IS audit, and the IS auditor must be able to tailor the communications of these results accordingly.


Through the use of quality assurance systems and framework s (CSA, Lean Six Sigma, etc.), the IS auditor can be a facilitator of positive and effective change to the organization.


Based on the type of audit approach used, the IS auditor as the subject matter expert can deliver effective and change-provoking communications to stakeholders.

139



140


35



Communication of Results The IS auditor communicates the audit results in an exit interview with management.

Before communicating results of the audit to senior management, the IS auditor should discuss the findings with the key process owners to gain an agreement on the findings and develop a course of corrective action.

During the exit interview, the IS auditor should: o

o

o

Ensure that the facts presented in the report are correct. Ensure that the recommendations are realistic and cost-effective, and if not, seek alternatives through negotiation with auditee management.

IS auditors should feel free to communicate issues or concerns with senior management or the audit committee.

Recommend implementation dates for agreed upon recommendations.

The IS auditor can present the results of the audit in an executive summary or a visual presentation. 141


142

Audit Report Audit reports present the recommendations to management. They are the end product of the IS audit work.


Audit Report Structure The audit report format and structure is dependent on the ISACA IS Audit and Assurance Standard 1401 Reporting

have the following structure and content: o An introduction to the rep ort, including the audit objec tives, limitations and scope, the period of audit coverage, and a general statement on the procedures conducted and processes examined during the audit, followed by a statement on the IS audit methodology and guidelines o Audit findings, often grouped in sections by material ity and/or intended recipient

The report should be balanced, describing not only negative issues in terms of findings but positive constructive comments regarding improving processes and controls or effective controls already in place.

o

adequacy of controls and procedures, and the actual potential risk identified as a consequence of detected deficiencies o

the audit Detailed audit findings and recommendations o A variety of findings, some of which m ay be quite materi al while others are minor in nature o

143



144


36



Audit Documentation Audit documentation provides the necessary evidence that support the audit findings and conclusions.

Audit documentation should include, at a minimum, a record of the following:

It should be clear, complete, and easily retrievable.

o

It is the property of the auditing entity and should only be accessible to authorized personnel. All audit documentation should be:

145

o

Dated

o

Initialed

o

Page-numbered

o

Self-contained

o

Properly labeled

o

Kept in custody

Description and/or walk-throughs on the scoped audit area o Audit program o

o

ISACA IS Audit and Assurance Guideline 2203 Performance and Supervision


Planning and preparation of the audit scope and objectives

o o o

146

Audit steps performed and audit evidence gathered Use of services of other auditors and experts Audit findings, conclusions and recommendations Audit documentation relation with document identification and dates


In the Big Picture Documentation must include all information required by laws and regulations, contractual stipulations and professional standards.

Task 1.4 Communicate audit results and make recommendations to key stakeholders through meetings and audit reports to promote change when necessary.

147



148

The Big Picture The IS auditor must provide stakeholders clear, concise and easily understood communications throughout all IS audit engagements.


37


Discussion Question


Discussion Question

Which of the following is the PRIMARY requirement in reporting results of an IS audit? The report is :

149

The MOST appropriate action for an IS auditor to take when shared user accounts are discovered is to:

A. prepared according to a predefined and standard template.

A. inform the audit committee of the potential issue.

B. backed by sufficient and appropriate audit evidence. C. comprehensive in coverage of enterprise processes.

C. document the finding and explain the risk of using shared IDs.

D. reviewed and approved by audit management.

D. request that the IDs be removed from the system.


Task 1.5

B. review audit logs for the IDs in question.

150


Key Terms Key Term

Definition

Continuous auditing approach

This approach allows IS auditors to monitor system reliability on a continuous basis and to g ather selective audit evidence through the computer.

Conduct audit follow-ups to determine whether appropriate actions have been taken by management in a timely manner.

151



152


38





Knowledge Statement

Connection

Knowledge Statement

Connection


As per ISACA IS Audit and Assurance Standards and Guidelines, the IS auditor must perform follow-up reviews to provide reasonable assurance that prior and existing audit findings corrective actions are in place and operating effectively.


The IS auditor must be able translate general control categories into a real-world IS context. This enables both the identification and evaluation of controls in information systems.

K1.2 Knowledge of r isk assessment concepts, and tools and techniques in planning, examination, reporting and follow-up

Based on the risk posed by a finding, the IS auditor needs to ensure audit finding corrective actions are completed in a timely manner to address potential cyber threats that if left uncorrected could be exploited.


Not all open and recently closed findings are created equal, and the IS auditor must be able to use project management techniques to prioritize and schedule follow-up activities accordingly.


The IS auditor must be aware of the existing business processes and any changes to the business processes that could affect the follow-up to existing/prior audit findings.

K1.6 Knowledge of applicable laws and regulations that affect the scope, evidence collection and preservation, and frequency of audits

Based on legal and regulatory requirements, corrective action follow-up activities may have specific timelines and reporting requirements.

153


154




Knowledge Statement

Connection

Knowledge Statement

Connection

K1.7 Knowledge of evidence collection techniques (e.g., ob servation, inquiry, inspection, interview, data analysis, forensic investigation techniques, computer-assisted audit techniques [CAATs]) used to gather, pr otect and preserve audit evidence

Just like the original audit, all IS audit follow-up activities must be properly documented and linked to th e existing/prior audit findings and the respective assessed corrective actions. Furthermore, the IS auditor needs to identify automated techniques that can be used to better perform the follow-up activities in a timely manner.


The IS auditor will document and report the follow-up activities to all relevant stakeholders to ensure these parties are aware of the status of IS audit findings corrective action status.


K1.8 Knowledge of different sampling methodologies and other substantive/data analytical procedures

As with the original IS audit, the IS auditor will use recognized sampling techniques to gather and analyze data during the follow-up activities.

The IS auditor should review the quality systems and frameworks used by the organization to address the IS audit findings and verify these methodologies were appropriate and effective.

155



156


39



Follow-up Activities How does Task 1.5 relate to each of the following knowledge statements? Knowledge Statement

Connection

K1.11 Knowledge of various types of au dits (e.g., internal, external, financial) and methods for assessing and placing reliance on the work of other auditors or control entities

Based on the type of audit (i.e., compliance, investigations, etc.), the IS auditor will need to know how to document and report the follow-up results. If more recent audits have been performed that may indicate the corrective actions are complete, the IS auditor will need to determine if the work performed is adequate to close the finding.

Auditing is an ongoing process.

ISACA IS Audit and Assurance Standard 1402 Follow-up Activities

responsibility to ensure that management has taken appropriate corrective actions. A follow-up program should be implemented to manage follow-up activities. When the follow-up occurs depends on the criticality of the audit findings. Results of the follow-up should be communicated to the appropriate level of management.

157


158

In the Big Picture

Task 1.5 Conduct audit follow-ups to determine whether appropriate actions have been taken by management in a timely manner.

159


Discussion Question

The Big Picture The IS auditor is responsible for the timely verification of corrective actions in response to all IS audit findings.



An IS auditor is reviewing security controls for a critical webbased system prior to implementation. The results of the penetration test are inconclusive, and the results will not be finalized prior to implementation. Which of the following is the BEST option for the IS auditor? A. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing. B. Publish a report omitting the areas where the evidence obtained from testing was i nconclusive. C. Request a delay of the implementation date until additional security testing can be completed and evidence of appropriate controls can be obtained. D. Inform management that audit work cannot be completed prior to implementation and recommend that the audit be postponed. 160


40


Discussion Question


Domain 1 Summary

The PRIMARY objective of performing a postincident review is that it presents an opportunity to:

This Domain is the f oundation of the professional practice of IS audit and assurance.

A. improve internal control procedures.

ISACA IS Audit and Assurance Standards and Guidelines enable the IS auditor to ensure they are meeting industry-wide acceptance of their work product.

B. harden the network to industry good practices. C. highlight the importance of incident response management to management.

A risk-based approach must always be used throughout the IS audit engagement life cycle.

D. improve employee awareness of the incident response process.

161


162

The IS auditor must know the business process that the

Knowledge of evidence collection techniques ensures integrity and enables the accurate, correct and timely analysis of data and information during the IS audit.

The IS auditor must understand the types of controls that can be used to mitigate risk.

Sampling is critical to ensuring the testing is representative of the populations in scope for the IS audit.

Most, if not all, IS audits now have either legal (business contracts) or regulatory impacts.

163




The IS auditor must master written and verbal communications skil ls from planning through follow-up.

164


41

CISA_Student_Handout_Domain1.pdf

Recommend Documents