121
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 1 2007 CISA Review Course CHAPTER 1 The IS Audit Process

Chap1 2007 Cisa Review Course

  • View
    9.600

  • Download
    0

Embed Size (px)

DESCRIPTION

CISA audit and review corses

Citation preview

Page 1: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 1

2007 CISA Review Course

CHAPTER 1

The IS Audit Process

Page 2: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 2

Chapter Overview1. Introduction

– Organization of the IS audit function– IS audit resource management– Audit planning – Laws and regulations

2. ISACA IS auditing standards and guidelines3. Risk analysis4. Internal controls5. Performing an IS audit6. Control self assessment • Emerging changes in IS audit process• Case Study

Page 3: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 3

Process Area Objective

Ensure that the CISA candidate…

“The objective of the process area is to ensure that the CISA candidate has the knowledge necessary to provide information systems (IS) audit services in accordance with IS audit standards, guidelines and best practices to assist the organization in ensuring that its information technology and business systems are protected and controlled.”

Page 4: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 4

Process Area Summary

According to the CISA Certification Board, this Process Area will represent

approximately 10% of the CISA examination (approximately 20 questions).

Page 5: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 5

Process Area Tasks

Five Tasks:1. Develop and implement a risk-based IS audit strategy for the

organization in compliance with IS audit standards, guidelines and best practices.

2. Plan specific audits to ensure that IT and business systems are protected and controlled.

3. Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives.

4. Communicate emerging issues, potential risks and audit results to key stakeholders.

5. Advise on the implementation of risk management and control practices within the organization while maintaining independence.

Page 6: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 6

Process Area Knowledge Statements

Ten Knowledge Statements:

1. Knowledge of ISACA IS Auditing Standards, Guidelines and Procedures and Code of Professional Ethics.

2. Knowledge of IS auditing practices and techniques.

3. Knowledge of techniques to gather information and preserve evidence.

4. Knowledge of the evidence life cycle.

5. Knowledge of control objectives and controls related to IS.

Page 7: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 7

Process Area Knowledge Statements

Ten Knowledge Statements (Cont’d):

6. Knowledge of risk assessment in an audit context

7. Knowledge of audit planning and management techniques

8. Knowledge of reporting and communication techniques

9. Knowledge of control self-assessment (CSA)

10. Knowledge of continuous audit techniques

Page 8: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 8

I - INTRODUCTION1. Organization of the IS Audit Function

• Audit charter (or engagement letter)– Stating management’s responsibility and objectives for, and

delegation of authority to, the IS audit function– Outlining the overall authority, scope and responsibilities of the

audit function

• Approval of the audit charter• Change in the audit charter

Page 9: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 9

I - INTRODUCTION2. IS Audit Resource Management

• Limited number of IS auditors• Maintenance of their technical competence• Assignment of audit staff

Page 10: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 10

3. Audit Planning

• Audit planning– Short-term planning– Long-term planning– Things to consider

• New control issues• Changing technologies• Changing business processes• Enhanced evaluation techniques

• Individual audit planning– Understanding of overall environment

• Business practices and functions• Information systems and technology

I - INTRODUCTION

Page 11: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 11

3. Audit Planning

Audit Planning Steps– Gain an understanding of the business’s mission, objectives, purpose and

processes.– Identify stated contents (policies, standards, guidelines, procedures, and

organization structure).– Evaluate risk assessment and privacy impact analysis.– Perform a risk analysis.– Conduct an internal control review.– Set the audit scope and audit objectives.– Develop the audit approach or audit strategy.– Assign personnel resources to audit and address engagement logistics.

I - INTRODUCTION

Page 12: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 12

4. Effect of Laws and Regulations on IS Audit Planning

Regulatory requirements

– Establishment– Organization– Responsibilities– Correlation to financial, operational and IT audit

functions

I - INTRODUCTION

Page 13: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 13

4. Effect of Laws and Regulations on IS Audit Planning

Steps to determine compliance with externalrequirements:

– Identify external requirements– Document pertinent laws and regulations– Assess whether management and the IS function have considered

the relevant external requirements– Review internal IS department documents that address adherence

to applicable laws– Determine adherence to established procedures

I - INTRODUCTION

Page 14: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 14

II - ISACA IS Auditing Standards and Guidelines1. ISACA Code of Professional Ethics

The Association’s Code of Professional Ethics

provides guidance for the professional and personal conduct of members of the

Association and/or holders of the CISA and CISM designation

Page 15: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 15

II - ISACA IS Auditing Standards and Guidelines

Framework for the ISACA IS Auditing Standards

– Standards

– Guidelines

– Procedures

Page 16: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 16

II - ISACA IS Auditing Standards and Guidelines2. ISACA IS Auditing Standards

Objectives of ISACA IS Auditing Standards

• Inform management and other interested parties of the profession’s expectations concerning the work of audit practitioners

• Inform information system auditors of the minimum level of acceptable performance required to meet professional responsibilities set out in the ISACA Code of Professional Ethics

Page 17: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 17

II - ISACA IS Auditing Standards and Guidelines2. ISACA IS Auditing Standards

IS Auditing Standards1. Audit charter

2. Independence

3. Ethics and Standards

4. Competence

5. Planning

6. Performance of audit work

7. Reporting

8. Follow-up activities

9. Irregularities and illegal acts

10. IT governance

11.Use of risk assessment in audit planning

Page 18: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 18

II - ISACA IS Auditing Standards and Guidelines2. ISACA IS Auditing Standards

1. Audit charter

Purpose, responsibility, authority and accountability

Approval

2. Independence Professional independence

Organizational independence

Page 19: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 19

II - ISACA IS Auditing Standards and Guidelines2. ISACA IS Auditing Standards

3. Professional Ethics and Standards

Code of Professional Ethics

Due professional care

4. Competence

Skills and knowledge

Continuing professional education

Page 20: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 20

II - ISACA IS Auditing Standards and Guidelines2. ISACA IS Auditing Standards

5. Planning

• Plan IS audit coverage

• Develop and document a risk-based audit Approach

• Develop and document an audit plan

• Develop an audit program and procedures

Page 21: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 21

II - ISACA IS Auditing Standards and Guidelines2. ISACA IS Auditing Standards

6. Performance of audit work

Supervision

Evidence

Documentation

Page 22: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 22

II - ISACA IS Auditing Standards and Guidelines2. ISACA IS Auditing Standards

7. Reporting Identify the organization, intended recipients and any

restrictions State the scope, objectives, coverage and nature of audit work

performed State the findings, conclusions and recommendations and

limitations Justify the results reported Be signed, dated and distributed according to the audit charter

Page 23: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 23

II - ISACA IS Auditing Standards and Guidelines2. ISACA IS Auditing Standards

8. Follow-up Activities

Review previous conclusions and recommendations

Review previous relevant findings

Determine whether appropriate actions have been taken by management in a timely manner

Page 24: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 24

II - ISACA IS Auditing Standards and Guidelines2. ISACA IS Auditing Standards

9. Irregularities and Illegal Acts Consider the risk of irregularities and illegal acts

Maintain an attitude of professional skepticism

Obtain an understanding of the organization and its environment

Consider unusual or unexpected relationships

Test the appropriateness of internal control

Assess any misstatement

Page 25: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 25

9. Irregularities and Illegal Acts (Cont.)

Obtain written representations from management

Have knowledge of any allegations of irregularities or illegal acts

Communicate material irregularities/illegal acts

Consider appropriate action in case of inability to continue performing the audit

Document irregularity/illegal act related communications, planning, results, evaluations and conclusions

II - ISACA IS Auditing Standards and Guidelines2. ISACA IS Auditing Standards

Page 26: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 26

10. IT Governance Review and assess the IS function’s alignment with the

organization’s mission, vision, values, objectives and strategies.

Review the IS function’s statement about the performance and assess its achievement

Review and assess the effectiveness of IS resource and performance management processes

II - ISACA IS Auditing Standards and Guidelines2. ISACA IS Auditing Standards

Page 27: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 27

10. IT Governance (Cont)

Review and assess compliance with legal, environmental and information quality, and fiduciary and security requirements

Use a risk-based approach to evaluate the IS function

Review and assess the organization’s control environment

Review and assess the risks that may adversely affect the IS environment.

II - ISACA IS Auditing Standards and Guidelines2. ISACA IS Auditing Standards

Page 28: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 28

11. Use of Risk Assessment in Audit Planning

Use a risk assessment technique in developing the overall IS audit plan

Identify and assess relevant risks in planning individual reviews

II - ISACA IS Auditing Standards and Guidelines2. ISACA IS Auditing Standards

Page 29: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 29

3. ISACA IS Auditing Guidelines

II - ISACA IS Auditing Standards and Guidelines

G1 Using the Work of Other Auditors, effective 1 June 1998G2 Audit Evidence Requirement, effective 1 December 1998G3 Use of Computer Assisted Audit Techniques (CAATs), effective 1 December 1998G4 Outsourcing of IS Activities to Other Organisations, effective 1 September 1999G5 Audit Charter, effective 1 September 1999G6 Materiality Concepts for Auditing Information Systems, effective 1 September 1999G7 Due Professional Care, effective 1 September 1999G8 Audit Documentation, effective 1 September 1999G9 Audit Considerations for Irregularities, effective 1 March 2000G10 Audit Sampling, effective 1 March 2000G11 Effect of Pervasive IS Controls, effective 1 March 2000G12 Organizational Relationship and Independence, effective 1 September 2000G13 Use of Risk Assessment in Audit Planning, effective 1 September 2000G14 Application Systems Review, effective 1 November 2001G15 Planning Revised, effective 1 March 2002G16 Effect of Third Parties on an Organization’s IT Controls, effective 1 March 2002G17 Effect of Nonaudit Role on the IS Auditor’s Independence, effective 1 July 2002G18 IT Governance, effective 1 July 2002G19 Irregularities and Illegal Acts, effective 1 July 2002

Page 30: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 30

3. ISACA IS Auditing Guidelines

II - ISACA IS Auditing Standards and Guidelines

G20 Reporting, effective 1 January 2003G21 Enterprise Resource Planning (ERP) Systems Review, effective 1 August 2003G22 Business-to-consumer (B2C) E-commerce Review, effective 1 August 2003G23 System Development Life Cycle (SDLC) Review, effective 1 August 2003G24 Internet Banking, effective 1 August 2003G25 Review of Virtual Private Networks, effective 1 July 2004G26 Business Process Reengineering (BPR) Project Reviews, effective 1 July 2004G27 Mobile Computing, effective 1 September 2004G28 Computer Forensics, effective 1 September 2004G29 Post-implementation Review, effective 1 January 2005G30 Competence, effective 1 June 2005G31 Privacy, effective 1 June 2005G32 Business Continuity Plan (BCP) Review From IT Perspective, effective 1 September2005G33 General Considerations on the Use of the Internet, effective 1 March 2006G34 Responsibility, Authority and Accountability, effective 1 March 2006G35 Follow-up Activities, effective 1 March 2006

Page 31: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 31

II - ISACA IS Auditing Standards and Guidelines4. ISACA IS Auditing Procedures

Procedures developed by the ISACA Standards Board provide examples of possible processes an IS auditor might follow in

an audit engagement.

– Procedures developed by the ISACA Standards Board provide examples

– The IS auditor should apply their own professional judgment to the specific circumstances

Page 32: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 32

II - ISACA IS Auditing Standards and Guidelines4. ISACA IS Auditing Procedures

P1 IS Risk Assessment, effective 1 July 2002P2 Digital Signatures, effective 1 July 2002P3 Intrusion Detection, effective 1 August 2003P4 Viruses and Other Malicious Code, effective 1 August 2003P5 Control Risk Self-assessment, effective 1 August 2003P6 Firewalls, effective 1 August 2003P7 Irregularities and Illegal Acts, effective 1 November 2003P8 Security Assessment—Penetration Testing and Vulnerability Analysis,effective 1 September 2004P9 Evaluation of Management Controls Over Encryption Methodologies,effective 1 January 2005

Page 33: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 33

II - ISACA IS Auditing Standards and Guidelines5. Relationship among Standards, Guidelines

and Procedures

– Standards Must be followed by IS auditors

– Guidelines

Provide assistance on how to implement the standards

– Procedures

Provide examples for implementing the standards

Page 34: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 34

III – Risk Analysis

i. Definition of Risk

The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. The impact or relative severity of the risk is proportional to the business value of the loss/damage and to the estimated frequency of the threat.

Page 35: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 35

III – Risk Analysis

ii. Elements of Risk

– Threats to, and vulnerabilities of, processes and/or assets (including both physical and information assets)

– Impact on assets based on threats and vulnerabilities

– Probabilities of threats (combination of the likelihood and frequency of occurrence)

Page 36: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 36

III – Risk Analysis

iii.Risk and Audit Planning

Risk analysis is part of the audit planning and it helps identify risks and vulnerabilities so the auditor can determine the controls needed to mitigate those risks.

Page 37: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 37

iv. Risk Management Process

– Risk assessment

– Risk mitigation

– Risk reevaluation

III – Risk Analysis

Page 38: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 38

IV – Internal Controls

Policies, procedures, practices and organizational structures implemented to

reduce risks

Classification of Internal Controls

– Preventive controls

– Detective controls

– Corrective controls

Page 39: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 39

1. Internal Control Objectives

Internal Control System

– Internal accounting controls

– Operational controls

– Administrative controls

IV – Internal Controls

Page 40: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 40

Internal Control Objectives

• Safeguarding of IT assets• Compliance to corporate policies or legal requirements• Input• Authorization• Accuracy and completeness of processing of data

input/transactions• Output• Reliability of process• Backup/recovery• Efficiency and economy of operations• Change management process for IT and related systems

1. Internal Control Objectives IV – Internal Controls

Page 41: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 41

2. IS Control Objectives

Internal control objectives apply to all areas, whether manual or automated. Therefore, conceptually, control objectives in an IS

environment remain unchanged from those of a manual environment

IV – Internal Controls

Page 42: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 42

•Safeguarding assets•Assuring the integrity of general operating system environments•Assuring the integrity of sensitive and critical application system environments through:

– Authorization of the input

– Accuracy and completeness of processing of transactions

– Reliability of overall information processing activities

– Accuracy, completeness and security of the output

– Database integrity

2. IS Control Objectives

IV – Internal Controls

Page 43: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 43

• Ensuring the efficiency and effectiveness of operations • Complying with requirements, policies and procedures, and

applicable laws • Developing business continuity and disaster recovery plans• Developing an incident response plan

2. IS Control Objectives (Cont)IV – Internal Controls

Page 44: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 44

3. CobiT

– A framework with 34 high-level control objectives

Planning and organization

Acquisition and implementation

Delivery and support

Monitoring and evaluation

– Use of 36 major IT related standards and regulations

IV – Internal Controls

Page 45: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 45

4. General Control Procedures

Apply to all areas of an organization and include

policies and practices established by

management to provide reasonable assurance

that specific objectives will be achieved.

IV – Internal Controls

Page 46: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 46

4. General Control Procedures

• Internal accounting controls directed at accounting operations

• Operational controls concerned with the day-to-day operations

• Administrative controls concerned with operational efficiency and adherence to management policies

• Organizational logical security policies and procedures

• Overall policies for the design and use of documents and records

• Procedures and features to ensure authorized access to assets

• Physical security policies for all data centers

IV – Internal Controls

Page 47: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 47

5. IS Control Procedures

• Strategy and direction

• General organization and management

• Access to data and programs

• Systems development methodologies and change control

• Data processing operations

• Systems programming and technical support functions

• Data processing quality assurance procedures

• Physical access controls

• Business continuity/disaster recovery planning

• Networks and communications

• Database administration

IV – Internal Controls

Page 48: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 48

Definition of Auditing Systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards.

V – Performing an IS Audit

Definition of IS Auditing Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related non-automated

processes and the interfaces between them.

Page 49: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 49

V – Performing an IS Audit1. Classification of Audits

– Financial audits

– Operational audits

– Integrated audits

– Administrative audits

– Information systems audits

– Specialized audits

– Forensic audits

Page 50: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 50

V – Performing an IS Audit2. Audit Programs

– Based on the scope and the objective of the particular

assignment

– IS auditor’s perspectives

• Security (confidentiality, integrity and availability)

• Quality (effectiveness, efficiency)

• Fiduciary (compliance, reliability)

• Service and Capacity

Page 51: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 51

V – Performing an IS Audit2. Audit Programs

General audit procedures– Understanding of the audit area/subject– Risk assessment and general audit plan– Detailed audit planning– Preliminary review of audit area/subject– Evaluating audit area/subject– Compliance testing – Substantive testing– Reporting(communicating results)– Follow-up

Page 52: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 52

Procedures for testing & evaluating IS controls– Use of generalized audit software to survey the contents of data

files – Use of specialized software to assess the contents of operating

system parameter files– Flow-charting techniques for documenting automated applications

and business process– Use of audit reports available in operation systems– Documentation review– Observation

V – Performing an IS Audit2. Audit Programs

Page 53: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 53

V – Performing an IS Audit3. Audit Methodology

– A set of documented audit procedures designed to achieve planned audit objectives

– Composed of • Statement of scope• Statement of audit objectives• Statement of work programs

– Set up and approved by the audit management– Communicated to all audit staff

Page 54: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 54

Typical audit phases

1. Audit subject

Identify the area to be audited

2. Audit objective

Identify the purpose of the audit

3. Audit scope

Identify the specific systems, function or unit of the organization

V – Performing an IS Audit3. Audit Methodology

Page 55: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 55

Typical audit phases (Cont)

4. Pre-audit planning

Identify technical skills and resources needed

Identify the sources of information for test or review

Identify locations or facilities to be audited

V – Performing an IS Audit3. Audit Methodology

Page 56: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 56

Typical audit phases (Cont)

5. Audit procedures and steps for data gathering

Identify and select the audit approach

Identify a list of individuals to interview

Identify and obtain departmental policies, standards and guidelines

Develop audit tools and methodology

V – Performing an IS Audit3. Audit Methodology

Page 57: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 57

V – Performing an IS Audit3. Audit Methodology

Typical audit phases (Cont)

6. Procedures for evaluating test/review result

7. Procedures for communication

8. Audit report preparation • Identify follow-up review procedures

• Identify procedures to evaluate/test operational efficiency and effectiveness

• Identify procedures to test controls

• Review and evaluate the soundness of documents, policies and procedures

Page 58: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 58

V – Performing an IS Audit3. Audit Methodology

Workpapers (WPs)

What are documented in WPs?

– Audit plans

– Audit programs

– Audit activities

– Audit tests

– Audit findings and incidents

Page 59: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 59

Workpapers (Cont)

– Do not have to be on “paper”

– Must be • Dated• Initialized• Page-numbered• Relevant• Complete• Clear• Self-contained and properly labeled• Filed and kept in custody

V – Performing an IS Audit3. Audit Methodology

Page 60: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 60

4. Fraud DetectionV – Performing an IS Audit

– Management’s responsibility

– Benefits of a well-designed internal control system

• Deterring frauds at the first instance

• Detecting frauds in a timely manner

– Fraud detection and disclosure

– Auditor’s role in fraud prevention and detection

Page 61: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 61

V – Performing an IS Audit5. Audit Risk and Materiality

Audit Risk

– Audit risk is the risk that the information/financial report may contain material error that may go undetected during the audit.

– A risk-based audit approach is used to assess risk and assist with an IS auditor’s decision to perform either compliance or substantive testing.

Page 62: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 62

V – Performing an IS Audit

Audit Risks - Categories

• Inherent risk• Control risk• Detection risk• Overall audit risk

5. Audit Risk and Materiality

Page 63: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 63

V – Performing an IS Audit5. Audit Risk and Materiality

Risk-based Approach Overview– Gather Information and Plan– Obtain Understanding of Internal Control– Perform Compliance Tests– Perform Substantive Tests– Conclude the Audit

Page 64: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 64

V – Performing an IS Audit5. Audit Risk and Materiality

Materiality An auditing concept regarding the importance of an

item of information with regard to its impact or effect on the functioning of the entity being

audited

Page 65: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 65

V – Performing an IS Audit6. Risk Assessment Techniques

Risk Assessment Techniques– Enables management to effectively allocate limited audit

resources

– Ensures that relevant information has been obtained

– Establishes a basis for effectively managing the audit department

– Provides a summary of how the individual audit subject is related to the overall organization and to business plans

Page 66: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 66

V – Performing an IS Audit7. Audit Objectives

Audit Objectives - Specific goals of the audit

– Compliance with legal & regulatory requirements

– Confidentiality

– Integrity

– Reliability

– Availability

Page 67: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 67

8. Compliance vs. Substantive TestingV – Performing an IS Audit

– Compliance testdetermines whether controls are in compliance with management policies and procedures

– Substantive testtests the integrity of actual processing

– Correlation between the level of internal controls and substantive testing required

– Relationship between compliance and substantive tests

Page 68: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 68

V – Performing an IS Audit

9. Evidence

It is a requirement that the auditor’s conclusions must be based on sufficient, competent evidence

– Independence of the provider of the evidence– Qualification of the individual providing the

information or evidence– Objectivity of the evidence– Timing of evidence

Page 69: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 69

V – Performing an IS Audit

9. Evidence

Techniques for gathering evidence: Review IS organization structures Review IS policies and procedures Review IS standards Review IS documentation Interview appropriate personnel Observe processes and employee performance

Page 70: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 70

V – Performing an IS Audit

– Actual functions

– Actual processes/procedures

– Security awareness

– Reporting relationships

10. Interviewing and Observing Personnel in action

Page 71: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 71

V – Performing an IS Audit11. Sampling

– General approaches to audit sampling:• Statistical sampling• Non-statistical sampling

– Methods of sampling used by auditors:• Attribute sampling• Variable sampling

Page 72: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 72

V – Performing an IS Audit11. Sampling

Sampling (Cont)

– Attribute sampling Stop-or-go sampling Discovery sampling

– Variable sampling Stratified mean per unit Unstratified mean per unit Difference estimation

Page 73: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 73

V – Performing an IS Audit11. Sampling

Statistical sampling terms:– Confident coefficient– Level of risk– Precision– Expected error rate– Sample mean– Sample standard deviation– Tolerable error rate– Population standard deviation

Page 74: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 74

V – Performing an IS Audit11. Sampling

Key steps in choosing a sampleDetermine the objectives of the test

Define the population to be sampled

Determine the sampling method, such as attribute versus variable sampling.

Calculate the sample size

Select the sample

Evaluating the sample from an audit perspective

Page 75: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 75

V – Performing an IS Audit12. Using the Services of Other Auditors and Experts

Considerations when using services of other auditors and experts:

• Restrictions on outsourcing of audit/security services provided by laws and regulations

• Audit charter or contractual stipulations

• Impact on overall and specific IS audit objectives

• Impact on IS audit risk and professional liability

• Independence and objectivity of other auditors and experts

• Professional competence, qualifications and experience

Page 76: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 76

Considerations when using services of other auditors and experts (Cont):

• Scope of work proposed to be outsourced and approach

• Supervisory and audit management controls

• Method and modalities of communication of results of audit work

• Compliance with legal and regulatory stipulations

• Compliance with applicable professional standards

V – Performing an IS Audit12. Using the Services of Other Auditors and Experts

Page 77: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 77

V – Performing an IS Audit13. Computer-assisted Audit Techniques

– CAATs enable IS auditors to gather information independently

– CAATs include:• Generalized audit software (GAS)• Utility software• Test data• Application software for continuous online audits• Audit expert systems

Page 78: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 78

– Need for CAATs

Evidence collection

– Functional capabilities

Functions supported

Areas of concern

V – Performing an IS Audit13. Computer-assisted Audit Techniques

Page 79: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 79

– Examples of CAATs used to collect evidence

– CAATS as a continuous online approach

V – Performing an IS Audit13. Computer-assisted Audit Techniques

– Advantages of CAATs

– Cost/benefits of CAATs

Page 80: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 80

Development of CAATs

• Documentation retention

• Access to production data

• Data manipulation

V – Performing an IS Audit13. Computer-assisted Audit Techniques

Page 81: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 81

V – Performing an IS Audit14. Evaluation of Audit Strengths and Weaknesses

–Assess evidence

–Evaluate overall control structure

–Evaluate control procedures

–Assess control strengths and weaknesses

Page 82: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 82

V – Performing an IS Audit

Judging Materiality of Findings

Materiality is a key issue

Assessment requires judgment of the potential effect of the finding if corrective action is not taken

14. Evaluation of Audit Strengths and Weaknesses

Page 83: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 83

15. Communicating Audit Results

V – Performing an IS Audit

– Exit interview

• Correct facts

• Realistic recommendations

• Implementation dates for agreed recommendations

– Presentation techniques

• Executive summary

• Visual presentation

Page 84: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 84

Audit report structure and contents

An introduction to the report The IS auditor’s overall conclusion and opinion The IS auditor’s reservations with respect to the audit Detailed audit findings and recommendations A variety of findings Limitations to audit Statement on the IS audit guidelines followed

V – Performing an IS Audit15. Communicating Audit Results

Page 85: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 85

16. Management Implementation of Recommendations

V – Performing an IS Audit

– Auditing is an ongoing process

– Timing of follow-up

Page 86: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 86

17. Audit Documentation

V – Performing an IS Audit

– Contents of audit documentation

– Custody of audit documentation

– Support of findings and conclusions

Page 87: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 87

Documentation should include, at a minimum, a record of the:

• Planning and preparation of the audit scope and objectives

• Description and/or walkthroughs on the scoped audit area

• Audit program

• Audit steps performed and audit evidence gathered

• Use of services of other auditors and experts

• Audit findings, conclusions and recommendations

V – Performing an IS Audit17. Audit Documentation

Page 88: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 88

– Constraints on the Conduct of the AuditAvailability of audit staff

Auditee constraints

– Project Management TechniquesDevelop a detailed plan

Report project activity against the plan

Adjust the plan

Take corrective action

V – Performing an IS Audit17. Audit Documentation

Page 89: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 89

1. In performing a risk-based audit, which risk assessment is completed initially by the IS auditor?

A. Detection risk assessmentB. Control risk assessmentC. Inherent risk assessmentD. Fraud risk assessment

V – Performing an IS AuditChapter 1 Question

Page 90: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 90

V – Performing an IS AuditChapter 1 Question

2. Which of the following types of risk assumes an absence of compensating controls in the area being reviewed?

A. Control riskB. Detection riskC. Inherent riskD. Sampling risk

Page 91: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 91

3. While developing a risk-based audit program, which of the following would the IS auditor MOST likely focus on?

A. Business processesB. Critical IT applicationsC. Operational controlsD. Business strategies

V – Performing an IS AuditChapter 1 Question

Page 92: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 92

4. The GREATEST drawback in using an integrated test facility is the need to:

A. Isolate test data from production dataB. Notify user personnel so they can make adjustments to

outputC. Segregate specific master file recordsD. Collect transaction and master file records in a separate

file

V – Performing an IS AuditChapter 1 Question

Page 93: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 93

V – Performing an IS AuditChapter 1 Question

5. To meet predefined criteria, which of the following continuous audit techniques would BEST identify transactions to audit?

A. Systems Control Audit Review File and Embedded Audit Modules (SCARF/EAM)

B. Continuous and intermittent simulation (CIS)C. Integrated test facilities (ITF)D. Audit hooks

Page 94: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 94

6. Which of the following BEST describes the early stages of an IS audit?

A. Observing key organizational facilitiesB. Assessing the IS environmentC. Understanding business process and environment applicable to the reviewD. Reviewing prior IS audit reports

V – Performing an IS AuditChapter 1 Question

Page 95: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 95

7. An IS auditor is conducting substantive audit tests of a new accounts receivable module. The IS auditor has a tight schedule and limited computer expertise. Which would be the BEST audit technique to use in this situation?

A. Test dataB. Parallel simulationC. Integrated test facilityD. Embedded audit module

V – Performing an IS AuditChapter 1 Question

Page 96: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 96

8. The PRIMARY use of generalized auditsoftware (GAS) is to:

A. Test controls embedded in programsB. Test unauthorized access to dataC. Extract data of relevance to the auditD. Reduce the need for transaction vouching

V – Performing an IS AuditChapter 1 Question

Page 97: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 97

V – Performing an IS AuditChapter 1 Question

9. An IS auditor performing a review of an application’s controls finds a weakness in system software that could materially impact the application. The IS auditor should:

A. Disregard these control weaknesses, as a system softwarereview is beyond the scope of this review

B. Conduct a detailed system software review and report thecontrol weaknesses

C. Include in the report a statement that the audit was limited to a review of the application’s controls

D. Review the system software controls as relevant and recommend a detailed system software review

Page 98: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 98

VI - Control Self-Assessment

• A management technique• A methodology• In practice, a series of tools

Page 99: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 99

VI - Control Self-Assessment

Implementation of CSA Facilitated workshops Hybrid approach

Page 100: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 100

VI - Control Self-Assessment 1. Benefits of CSA

•Early detection of risks

•More effective and improved internal controls

•Creation of cohesive teams through employee involvement

•Increased employee awareness of organizational objectives and knowledge of risk and internal controls

•Increased communication between operational and top management

•Highly motivated employees

Page 101: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 101

VI - Control Self-Assessment

•Improved audit rating process

•Reduction in control cost

•Assurance provided to stakeholders and customers

•Necessary assurance given to top management about the adequacy of internal controls, as required by the various regulatory agencies and laws such as the US Sarbanes-Oxley Act

1. Benefits of CSA

Page 102: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 102

VI - Control Self-Assessment 2. Disadvantages of CSA

• It could be mistaken as an audit function replacement

• It may be regarded as an additional workload (e.g., one more report to be submitted to management)

• Failure to act on improvement suggestions could damage employee morale

• Lack of motivation may limit effectiveness in the detection of weak controls

Page 103: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 103

Objectives of CSA

– Enhancement of audit responsibilities (not a replacement)

– Education for line management in control responsibility and monitoring

– Empowerment of workers to assess the control environment

VI - Control Self-Assessment

Page 104: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 104

3. Auditor Role in CSAVI - Control Self-Assessment

When these programs are established, auditors become

• Internal control professionals

• Assessment facilitators

>>>> the auditors are facilitators

>>>> the management client is the participant in the CSA process

Page 105: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 105

VI - Control Self-Assessment 4. Technology Drivers for CSA

Some technology drivers include

combination of hardware and software to support CSA selection

use of an electronic meeting system

computer-supported decision aids to facilitate group decision making

Group decision making is an essential component of a workshop-based CSA where employee empowerment is

a goal

Page 106: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 106

5. Traditional vs. CSA ApproachVI - Control Self-Assessment

Traditional approach

Any approach in which the primary responsibility for analyzing and reporting on internal control and risk is assigned to auditors and, to a lesser extent, controller departments and outside consultants.

CSA approach Emphasizes management and accountability over developing and monitoring internal controls of an organization’s sensitive and critical business processes

Page 107: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 107

10. Which of the following is MOST effective for implementing a control self-assessment (CSA) within business units?

A. Informal peer reviewsB. Facilitated workshopsC. Process flow narrativesD. Data flow diagrams

Chapter 1 Question

VI - Control Self-Assessment

Page 108: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 108

VII - Emerging changes in the IS audit process 1. Automated Work papers

– Risk analysis– Audit programs– Results– Test evidences,– Conclusions– Reports and other complementary information

Page 109: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 109

VII - Emerging changes in the IS audit process 1. Automated Work papers

Controls over automated work papers:• Access to work papers• Audit trails• Approvals of audit phases• Security and integrity controls• Backup and restoration• Encryption for confidentiality

Page 110: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 110

VII - Emerging changes in the IS audit process 2. Integrated Auditing

Process whereby appropriate audit disciplines are combined to assess key internal controls over an operation, process or entity

– Focuses on risk to the organization (for an internal auditor)

– Focuses on the risk of providing an incorrect or misleading audit opinion (for external auditor

Page 111: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 111

VII - Emerging changes in the IS audit process

Typical process:

– Identification of relevant key controls– Review and understanding of the design of key controls– Testing that key controls are supported by the IT

system– Testing that management controls operate effectively– A combined report or opinion on control risks, design

and weaknesses

2. Integrated Auditing

Page 112: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 112

VII - Emerging changes in the IS audit process 3. Continuous Auditing

Definition

“A methodology that enables independent auditors to provide written assurance on a subject matter using a series of auditors’ reports issued simultaneously with, or a short period of time after, the occurrence of events underlying the subject matter”

Page 113: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 113

VII - Emerging changes in the IS audit process

– Distinctive character • short time lapse between the facts to be audited and the

collection of evidence and audit reporting

– Drivers• better monitoring of financial issues• allowing real-time transactions to benefit from real-time

monitoring• preventing financial fiascoes and audit scandals• using software to determine proper financial controls

3. Continuous Auditing

Page 114: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 114

Continuous Auditing vs. Continuous Monitoring Continuous monitoring

Management-driven Based on automated procedures to meet fiduciary

responsibilities

Continuous auditing Audit-driven Done using automated audit procedures

VII - Emerging changes in the IS audit process 3. Continuous Auditing

Page 115: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 115

Enabler for the Application of Continuous Auditing

– New information technology developments

– Increased processing capabilities

– Standards

– Artificial intelligence tools

VII - Emerging changes in the IS audit process 3. Continuous Auditing

Page 116: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 116

IT techniques in a continuous auditing environment – Transaction logging– Query tools– Statistics and data analysis (CAAT)– Database management systems (DBMS)– Data warehouses, data marts, data mining.– Artificial intelligence (AI)– Embedded audit modules (EAM)– Neural network technology– Standards such as Extensible Business Reporting

Language

VII - Emerging changes in the IS audit process 3. Continuous Auditing

Page 117: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 117

Prerequisites– A high degree of automation– An automated and reliable information-producing process– Alarm triggers to report control failures– Implementation of automated audit tools– Quickly informing IS auditors of anomalies/errors– Timely issuance of automated audit reports– Technically proficient IS auditors– Availability of reliable sources of evidence– Adherence to materiality guidelines– Change of IS auditors’ mind-set– Evaluation of cost factors

VII - Emerging changes in the IS audit process 3. Continuous Auditing

Page 118: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 118

– Advantages• Instant capture of internal control problems• Reduction of intrinsic audit inefficiencies

– Disadvantages• Difficulty in implementation• High cost• Elimination of auditors’ personal judgment and evaluation

VII - Emerging changes in the IS audit process 3. Continuous Auditing

Page 119: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 119

VIII - Chapter 1 Case Study1. Case study Scenario

The IS auditor has been asked to perform preliminary work that will assess the readiness of the organization for a review to measure compliance with new regulatory requirements. These requirements are designed to ensure that management is taking an active role in setting up and maintaining a well-controlled environment and, accordingly, will assess management’s review and testing of the general IT control environment. Areas to be assessed include logical and physical security, change management, production control and network management, IT governance, and end-user computing. The IS auditor has been given six months to perform this preliminary work, so sufficient time should be available. It should be noted that in previous years, repeated problems have been identified in the areas of logical security and change management, so these areas will most likely require some degree of remediation. Logical security deficiencies noted included the sharing of administrator accounts and failure to enforce adequate controls over passwords. Change management deficiencies included improper segregation of incompatible duties and failure to document all changes. Additionally, the process for deploying operating system updates to servers was found to be only partially effective. In anticipation of the work to be performed by the IS auditor, the chief information officer (CIO) requested direct reports to develop narratives and process flows describing the major activities for which IT is responsible. These were completed, approved by the various process owners and the CIO, and then forwarded to the IS auditor for examination.

Page 120: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 120

VIII - Chapter 1 Case Study2. Case study Questions

1. What should the IS auditor do FIRST?

A. Perform an IT risk assessment.

B. Perform a survey audit of logical access controls.

C. Revise the audit plan to focus on risk-based auditing.

D. Begin testing controls that the IS auditor feels are most critical.

Page 121: Chap1 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 1 - Pag - 121

VIII - Chapter 1 Case Study2. Case study Questions

2. When testing program change management, how should the sample be selected?

A. Change management documents should be selected at random and examined for appropriateness

B. Changes to production code should be sampled and traced to appropriate authorizing documentation

C. Change management documents should be selected based on system criticality and examined for appropriateness

D. Changes to production code should be sampled and traced back to system-produced logs indicating the date and time of the change