Upload
ndungu-evans
View
13
Download
0
Embed Size (px)
DESCRIPTION
Is audit domain 1
Citation preview
2/8/2010
1
Certified Information Systems Auditor Course
2010By Marjan Hussein
MBA, BCOMM,CPA(K),CISA, CIA, CCSA
INFORMATION SYSTEMS AUDIT PROCESS
Domain 1
Domain 1: IS Audit Process (Approximately 10% of exam 20 Questions)
Provide IS audit services in accordance with IS audit standards, guidelines, and best practices to assist the organization in ensuring that its information technology and business systems are protected and controlled.
TASKS
Develop and implement a risk-based IS audit strategy for the organization in compliance with IS audit standards, guidelines and best practices.
Plan specific audits to ensure that IT and business systems are protected and controlled.
Conduct audits in accordance with IS audit standards, guidelines and best practices to meet planned audit objectives.
Communicate emerging issues, potential risks, and audit results to key stakeholders.
Advise on the implementation of risk management and control practices within the organization while maintaining independence.
Knowledge Statements
Knowledge of ISACA IS Auditing Standards, Guidelines and Procedures, and Code of Professional Ethics
Knowledge of IS auditing practices and techniques Knowledge of techniques to gather information and
preserve evidence (e.g., observation, inquiry, interview, CAATs, electronic media)
Knowledge of the evidence life cycle (e.g., the collection, protection, chain of custody)
Knowledge of control objectives and controls related to IS (e.g. COBIT)
2/8/2010
2
Knowledge Statements Cont
Knowledge of risk assessment in an audit context Knowledge of audit planning and management
techniques Knowledge of reporting and communication
techniques (e.g., facilitation, negotiation, conflict resolution)
Knowledge of control self-assessment (CSA) Knowledge of continuous audit techniques
Information Systems Audit Process
Management of the IS Audit FunctionOrganization of the IS Audit FunctionIS audit services can be provided internally or externallyCharter defines the IS audit functionScope, authority and responsibility of IS audit functionShould be approved by highest level of management and Audit CommitteeIS Audit Resource ManagementMaintain competency through updates of existing skills and training on new audit techniques and technological areas.Detailed staff training plans for year and reviewed semi annuallyIS Audit PlanningLong and short term plans preparationAnalysis of both plans should be done at least annuallyEach individual audit assignment must be adequately planned
Information Systems Audit Process
Individual audit assignmentsUnderstanding of environment under review during planning is importantTo perform the audit planning the auditor should:-
Gain an understanding of business mission, purpose, objectives, processes and technology which include information and processing requirements such as availability, integrity, confidentiality and business technology.Identify contents such as policies, standards and required guidelines, procedures and org structurePerform risk analysis to help in designing the audit planConduct review of IC related to ITSet audit scope and objectivesDevelop the audit approach or audit strategyAssign resourcesAddress engagement logistics
Information Systems Audit Process
Individual audit assignments
How to gain understanding of businessTouring key organizational facilitiesReading background materialsReviewing long-term strategic plans (biz & IT)Interviewing key managers to understand business issuesReviewing prior reportsIdentify special regulation applicable to ITIdentify IT functions or related activities that have been outsourced
2/8/2010
3
Information Systems Audit ProcessLaws and regulations effects on IS Audit PlanningIdentify those government or other external requirements dealing with:
Electronic data, personal data, copyrights, e-commerce, e-signatures etcComputer system practices and controlsManner in which computer program and stored data are usedWay data is processed and transmittedThe organization or activities of information technology servicesIS audits
Information Systems Audit ProcessLaws and regulations effects on IS Audit Planning (cont..)Document pertinent laws and regulationsAssess whether management of the organization and Information Systems function have considered relevant external requirements in making plans, policies, standards and proceduresReview internal IS dept documents that address adherence to applicable laws in the industryDetermine adherence to established procedureEstablish if there are procedures in place to ensure contracts or agreements with external IT services providers reflect any legal requirements related to responsibilities.
ISACA Code of Professional Ethics
The Information Systems Audit and Control Association, Inc. (ISACA) sets forth this Code of Professional Ethics to guide the professional and personal conduct of members of the association and/or its certification holders.
Members and ISACA certification holders shall:
1. Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems.
ISACA Code of Professional Ethics (cont..)
2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices.
3. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.
4. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
2/8/2010
4
ISACA Code of Professional Ethics (cont..)
5. Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence.
6. Inform appropriate parties of the results of work performed; revealing all significant facts known to them.
7. Support the professional education of stakeholders in enhancing their understanding of information systems security and control.
ISACA IS Standards
The specialized nature of IS auditing and the skills and knowledge necessary to perform such audits require globally applicable standards that pertain specifically to IS auditing.
Objectives of ISACA standards are to inform:- IS auditor of minimum level of acceptable performance
required to meet the professional responsibilities set out in the code of professional ethics
Management and other interested parties of the professional expectations concerning the work of audit practitioners
Holders of CISA designation of requirements that failure to comply with these standards may result in investigations by the ISACA board for disciplinary actions.
Standards define mandatory requirements for IS auditing and reporting.
ISACA IS Standards (cont..)
S1 Audit charter S2 Independence S3 Professional Ethics and Standards S4 Professional Competence S5 Planning S6 Performance of Audit Work S7 Reporting S8 Follow up activities S9 Irregularities and Illegal Acts S10 IT Governance S11 Use of Risk Assessment in Audit Planning S12 Audit Materiality S13 Using the Work of Other Experts S14 Audit Evidence S15 IT Controls S16 E-commerce
ISACA IS Auditing Guidelines
Objectives of the guidelines is to provide further information on how to comply with the ISACA IS Auditing Standards
The IS auditor should: consider them in determining how to implement the
standards Use professional judgment in applying them Be able to justify any departure
For index on IS auditing Guidelines refer to the CISA 2010 manual (pg 37 - 40)
2/8/2010
5
ISACA IS Auditing Procedures
Provide examples of possible process an IS auditor might follow in an audit engagement
In determining appropriateness of any specific procedure, IS auditor should apply their own professional judgment to the specific circumstances
The procedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements
It is not mandatory for the IS auditor to follow these procedures; however, following them will provide assurance that the standards are being followed by the auditor.
Relationship Between Standards, Guidelines & Procedures
IS Auditing Standards are to be followed by all IS auditors
Guidelines provide assistance on how the IS auditor can implement standards in various audit assignments
Procedures provide examples of steps the auditor may follow in specific audit assignments so as to implement the standards.
IS auditor should always use professional judgment in using guidelines and procedures
Information Technology Assurance Framework (ITAF)
It is a comprehensive and good-practice setting model that:- Provides guidance on design, conduct and reporting of IT
audit and assurance assignments Defines terms and concepts specific to IT audit and assurance Establish standards that address IT audit and assurance
professional roles and responsibilities, knowledge and skills, and diligence, conduct and reporting requirements.
ITAF includes 3 categories of standards (General code of ethics, Performance audit planning, supervision, scoping etc and Reporting)
(Assigned Readings CISA 2010 manual pages 34 45)
RISK ANALYSISRiskThe potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to asset. The impact or relative severity of the risk is proportional to the business value of the loss/damage and to the estimated frequency of the threat.uncertainty that surrounds future events and outcomesIt is the expression of the likelihood and impact of an event with potential to influence achievement of an organizations objectives.Risk is anything that could prevent achievement of organizations objectivesAnything that could impact on the interest of stakeholders
2/8/2010
6
Risk Analysis (cont..)Elements of Risk
Threat to, and vulnerabilities of, processes and/or assets (both physical and information assets)Impact on assets based on threats and vulnerabilitiesProbabilities of threats (likelihood and frequency of occurrence)
Total Risk = Threats X Vulnerability X Asset Value
Example of threats are errors, malicious damage/attack, fraud, theft, equipment failure, software failure
Example of vulnerabilities are, lack of user knowledge, poor choice of passwords, use of untested technology, transmission over unprotected communication
Risk Analysis (cont..) Business risks are the likelihood of those threats that
may negatively impact the assets, processes or objectives of a specific business.
The nature of risks may be financial, regulatory or operational, and may arise as a result of interaction of business with its environment, as a result of strategies, systems and particular technology, processes, procedures and information used by business.
The IS auditor is often focused towards high-risk issues associated with confidentiality, availability or integrity of sensitive and critical information, and the underlying information systems and processes that generate, store and manipulate such information
Risk Analysis (cont)Risk assessment process is characterized as an iterative life cycle:-1. Identification of business objectives2. Perform risk assessment to identify threats and determine
the probability of occurrence and the resulting impact and additional safeguards that would mitigate this impact to acceptable level
3. Identifying controls for mitigating the identified risks (preventive, detective and corrective)
4. Assess countermeasures through cost benefit analysis based on:- Cost compared to benefit of minimizing the risk Management risk appetite Preferred risk reduction method [terminate, minimize
occurrence probability, minimize impact, or transfer risk]5. Monitoring performance levels of risks being managed
Perform periodic Risk Reevaluation
(BO/RA/RM/RT)
Identify Business Objectives (BO)
Identify Information Asset Supporting the BOs
Perform Risk Assessment (RA)
[Threat Vulnerability Probability Impact]
Perform Risk Mitigation (RM)
[Map risks with controls in place]
Perform Risk Treatment (RT)
[Treat significant risks not mitigated by existing controls]
Summary of Risk Assessment Process
2/8/2010
7
Risk Analysis (cont..)Purpose of Risk Analysis
Assist the IS Auditor in identifying risks and threats to an IT environment and Systems selecting certain areas to examine
Helps the IS Auditor in his/her evaluation of controls in audit planning
Helps in determining the audit objectives Helps in supporting risk-based audit decision
making.
INTERNAL CONTROLS
Policies, procedures, practices and organizational structures designed to provide reasonable assurance that an organizations objectives will be achieved, undesired risks prevented, or detected and corrected.
INTERNAL CONTROL OBJECTIVES
Statements of desired results or purpose to be achieved by implemented control procedures. Control is the means by which control objectives are addressed.
Control Objectives include:
Safeguarding of information technology assets
Compliance to corporate policies or legal requirements
Authorization/input
Internal Control (cont..)
Accuracy and completeness of processing of transaction
Output
Reliability of process
Backup/recovery
Efficiency and economy of operations
Classifications of Controls
Preventative ControlsDetective ControlsCorrective Controls
Internal Control (cont..)
2/8/2010
8
IS Control Objectives
IC objectives apply to all areas, whether manual or automated.
IS control objectives include:- Safeguarding assets. Information on automated systems is
secured from improper access and kept up to date Assuring integrity of general operating system environments,
including network management and operations Assuring integrity of sensitive and critical application system
environments, including accounting/financial and management information through: Authorization of inputs Accuracy and completeness of processing of transaction
IS Control Objectives (cont..)
Reliability of overall information processing activitiesAccuracy, completeness and security of output
Database integrity
Ensuring the efficiency and effectiveness of operations
Complying with the users requirements and with organizational policies and procedures as well as applicable laws and regulations
IS Control Objectives (cont..)
Developing business continuity and disaster recovery plans
Developing an incidence response time
Change management
COBIT
COBIT is a framework with set of 34 IT processes grouped into 4 domains: planning and organizing, acquiring and implementation, delivery and support and monitoring and evaluation
By addressing these 34 IT processes, organization can ensure that adequate governance and control arrangements are provided for their IT environment
COBIT can be used as a supplementary study material in understanding control objectives and principles.
2/8/2010
9
COBIT cont..
Supporting these IT processes are more than 200 detailed control objectives necessary for effective implementation
COBIT uses, as primary reference current major framework standards and regulations relating to IT.
COBIT is directed to Management and staff of Information services, control departments, audit functions and most importantly, the business process owners using IT processes to assure confidentiality, integrity and availability of sensitive and critical information
General Controls
Controls include policies, procedures and practices established by management to provide reasonable assurance that specific objectives will be achieved.
They apply to all areas of the organization General Controls include: Internal accounting controls - safeguarding of assets and
reliability of financial records Operational controls - day to day activities Administrative controls - operational efficiency in a
functional area and adherence to management policies. They support operational controls concerned with operating efficiency and policy adherence
IS Controls
Each general control procedure can be translated into IS-specific control procedure.
IS control procedures include: Strategy and direction General organization and management Access to data and programs Systems development methodologies and change control Data processing operations Systems programming and technical support fns. Data processing quality assurance procedures Physical access controls Business continuity and disaster recovery planning Network and communications Database administration
Performing IS Audit
2/8/2010
10
Auditing
A systematic process by which a competent, independent person
objectively obtains and evaluates evidence regarding assertions about an economic entity or event for purpose of forming an opinion about and reporting on the degree to which the assertion
conforms to an identified set of standards
IS Audit
Defined as any audit that encompasses review and evaluation (wholly or partially) of automated information processing systems, related non-automated processes and the interfaces between them
Classification of Audits
Financial audits data (integrity and reliability)
Operational audit - controls Integrated audits data and controls Administrative audits - operational efficiency Information systems audit IS Specialized audits reviewing services
performed by third-party providers Forensic audits discovering, preserving,
disclosing and following up on frauds and crimes
Financial audits:
Assess correctness of financial statements
Often involve detailed substantive testingRelates to information reliability and
integrity
2/8/2010
11
Operational audit
Designed to evaluate internal controls e.g. IS Audit of application controls, or logical
security
Integrated audits Includes both financial and operational Performed to assess overall objectives
related to financial information, assets safeguarding, efficiency
Include both compliance and substantive tests
Administrative Audits
Audits oriented to assess issues related to efficiency and effectiveness of operational productivity within an organization.
Information systems audit
Collect and evaluate evidence to determine whether an information systems and related resources Safeguards assets, Maintains data and system integrity, Provide relevant and reliable information Achieve organizational goals effectively and
efficiently Internal controls provide reasonable assurance
that operational and control objectives will be met
2/8/2010
12
Specialized audits
These are specialized reviews that examine areas such as service performed by third parties and forensic auditing
Statement on Auditing Standards (SAS) 70, titled Reports on Processing of Transactions by Service Organizations is a widely known standard developed by AICPA
SAS 70 defines the professional standards used by service auditor to assess the internal control of service organization
Forensic audits
These are audits specialized in discovering, disclosing and following up on frauds and crimes
The purpose of these reviews is to develop and protect evidence for review by law enforcement and judicial authorities
Computer forensic investigation include analysis of electronic devices, such as computers, phones, PDAs, disks, switches, routers, hubs and other electronic equipment
Admissibility of evidence in court is very important and therefore computer evidence must be properly handled.
Forensic audit tools such as data mapping for security and privacy, risk assessment and search for intellectual property for data protection are being used for prevention, compliance and assurance.
Audit Programs
Audit work program is the audit strategy and plan It identifies scope, audit objectives, and audit procedures
to obtain sufficient, relevant and reliable evidence to draw and support audit conclusions and opinions
IS auditors often evaluate IT functions and systems from different perspectives such as: Security (confidentiality, integrity and availability) Quality (effectiveness and efficiency) Fiduciary (compliance, reliability) Service capacity
General Audit procedures
Steps in performing an audit and includes:- Obtaining and recording an understanding of the audit
area Detailed audit planning Preliminary review of the audit area Verifying and evaluating the appropriateness of
controls designed to meet control objectives Testing (compliance and substantive) Reporting Follow up
2/8/2010
13
General Audit procedures (cont..)
The IS auditor must understand the procedures for testing and evaluating IS controls. These include:- The use of generalized audit software to survey the
contents of data files The use of specialized software to assess the contents of
operating system database and application parameter files (or detect deficiency in system parameters setting)
Flow charting techniques for documenting automated applications and business processes
The use of audit logs/reports available in operation/application systems
Documentation review observation
Audit objectives They refer to the specific goals of the audit Determination of audits objectives is a critical
step in planning an IS audit Center around substantiating that internal
controls exists to minimize business risk The basic purpose of any IS audit is to
identify control objectives and the related controls that address the objective
Management may issue a general objective Key element in planning: translating to
specific IS audit objectives
Audit process steps
Plan assess risks, develop audit program: objectives, procedures
Obtain evidence Evaluate evidence strengths and weaknesses of
controls
Prepare and present report Follow-up - corrective actions taken by management
Audit methodology A set of documented audit procedures
designed to achieve planned audit objectives.
Components include: Scope Audit objectivesWork programs
2/8/2010
14
Audit program Step-by-step set of audit procedures and
instructions that should be performed to complete an audit
A guide for documenting various audit steps performed
Guides on the types and extent of evidential matters to be reviewed
Provides a trail of the process used Provides accountability for performance
Audit phases
Audit subject - Identify the area to be audited Audit objective - Identify purpose of audit Audit scope Pre-audit planning Audit procedures and steps for data gathering Procedures for evaluating the test or review
results (organization specific) Procedures for communication with
management (organizational specific) Audit report preparation:
Audit phases (cont..)
Practice Question
1-1 Which of the following BEST describes the early stages of an IS audit?
A. Observing key organizational facilitiesB. Assessing the IS environmentC. Understanding the business process and
environment applicable to the reviewD. Reviewing prior IS audit reports
2/8/2010
15
Fraud Detection
Management is primarily responsible for establishing, implementing and maintaining a framework and design of IT controls to meet the internal control objectives.
A well designed ICS provides good opportunity for deterring fraud at the first instance and a system that enables timely detection of frauds
IS auditor should observe and exercise due professional care in all aspects of their work and be alert to the possible opportunities that allow a fraud to materialize
Fraud Detection (cont)
IS auditor should be aware and diligent as regards the possibility and means of perpetrating frauds especially by exploiting the vulnerabilities and overriding controls in IT-enabled environment
IS auditor should have knowledge of fraud and fraud indicators, and during performance of audit work, be alert to the possibility of frauds and errors
When IS auditor comes across any instances of fraud or indicators of fraud, he/she may, after careful evaluation, communicate the need for a detailed investigation to appropriate authorities
In case of auditor identifying a major fraud or where the risk associated with the detection is high, audit management should also consider communicating to the audit committee,in a timely manner.
Risk-Based Auditing
Business risks include concerns about probable effects of an uncertain event on achieving established organization objectives.
By understanding the nature of the business, IS auditors can identify and categorize the types of risks that will better determine the risk approach in conducting the audit.
Risk based approach is used to assist an IS auditor in making the decision to perform either compliance or substantive testing.
Helps the auditor in determining the nature and extent of testing.
In addition to risk the auditors are also influenced by the Internal Controls as well as the knowledge of the business.
Risk-Based Audit Approach
2/8/2010
16
1-2 In performing a risk-based audit, which risk assessment is completed initially by the IS auditor?
A. Detection risk assessmentB. Control risk assessmentC. Inherent risk assessmentD. Fraud risk assessment
Practice Question
1-3 While developing a risk-based audit program, on which of the following would the IS auditor MOST likely focus?
A. Business processesB. Critical IT applicationsC. Operational controlsD. Business strategies
Practice Question
Audit risk and Materiality Risk that information may contain a
material error that may go undetected during the course of the audit
Risk within the audit process itself The risk of giving an incorrect audit opinion Sometimes used to describe the level of risk
that the IS Auditor is prepared to accept
Audit risk - contCan be categorized as: Inherent risk Control risk Detection riskOverall audit risk
2/8/2010
17
Inherent risk Risk that an error exist which could be
material assuming there are no related compensating controls
Can be categorized as susceptibility of a material misstatement in the absence of related controls e.g. Complex calculations are more likely to be
misstated than simple ones Cash is more likely to be stolen than inventory
Exist independent of an audit Can occur because of the nature of a
business
Control risk
Risk that a material error exists which will not be prevented or detected on a timely basis by the system of internal controls
Detection risk The risk that the ISA used an inadequate test
procedure and concludes that material errors do not exist, when in fact, they do
Can be used to assess and evaluate and ISAs ability to test, identify and correct material errors
Can be minimized by: Proper statistical sampling procedures A strong quality control process
Overall audit risk Combination of individual categories of
audit risk assessed for each specific control objective
Objective of audit approach is to limit overall audit risk
2/8/2010
18
Materiality and audit risk Materiality is an expression of relative significance or
importance of a particular matter in the context of the organization as a whole
Word material is associated with any of the components of risk - it refers to an error that should be considered significant by any party concerned
While a given system may not detect a minor error, a combination of these may end up being material
Requires sound judgment from the auditor Essential when planning areas to be audited and the specific
tests to be performed Materiality considered in terms of the total potential impact
to the organization.
Practice Question
1-4 Which of the following types of audit risk assumes an absence of compensating controls in the area being reviewed?
A. Control riskB. Detection riskC. Inherent riskD. Sampling risk
Practice Question
1-5 An IS auditor performing a review of an applications controls finds a weakness in system software that could materially impact the application. The IS auditor should:
A. disregard these control weaknesses, as a system software review is beyond the scope of this review.
B. conduct a detailed system software review and report the control weaknesses.
C. include in the report a statement that the audit was limited to a review of the applications controls.
D. review the system software controls as relevant and recommend a detailed system software review.
Audit risk assessment
Used to identify and evaluate risk and their potential effect
Used to determine high risk areas that should be audited
Planning guideline - An assessment risk should be made: To provide reasonable assurance that material
items will be adequately covered during the audit work
This assessment should identify areas with relatively high risk of existence of material problems
2/8/2010
19
Audit risk assessment - cont
Risk assessment and other audit techniques should be considered in deciding:The nature, extent and timing of audit
proceduresAreas or business functions to be auditedThe amount of time and resources to be
allocated an audit
Audit risk assessment - cont
Using risk assessment to determine areas to be audited:
Enables management to effectively allocate limited resources
Ensures audit activities are directed to high risk areas
Establishes a basis for effectively managing the audit department
Provides a summary of how the individual audit subject is related to the overall
Risk Assessment
Assess client strategic business risk
Assess the risk of material misstatement due to error, fraud or other irregularities
Factors affecting inherent risk Factors affecting control risk
Audit risk =
Inherent risk ? Control risk ? Detection risk
(Auditee risk) (Auditor risk)
Risk assessment methods Different methods employed to perform risk
assessments e.g.scoring system, Judgmental A combination of methods may be used May develop and change over time to best
serve the needs of the organization All rely on subjective judgment at some point
in the process Evaluate appropriateness of any chosen risk
methodology
2/8/2010
20
Scoring method Considers variables such as: technical complexity, controls in place, financial loss.
Variables may or may not be weighted
Judgmental methodDecision based on: executive management directives, historical perspectives, business goals and environmental factors
Audit evidence
The information ISA gathers in the course of performing an IS audit to meet audit objectives
Must directly relate to the objectives of the review
Gathering of evidential matter is key to the audit process
Mandatory under Standard for Evidence Evidence should be appropriately organized and
documented to support findings and conclusion
IS Audit Standard 14 Audit Evidence
States that: .The ISA should obtain sufficient and
appropriate audit evidence to draw reasonable conclusions on which to base the audit results.
The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence.
2/8/2010
21
Audit evidence - cont Sufficient it is complete, adequate,
convincing and would lead another ISA to form the same conclusions
Reliable if in the auditors opinion, it is valid, factual, objective and supportable
Relevant if it pertains to the audit objectives and has a logical relationship to the findings and conclusions it is used to support
Audit evidence - types Observed processes and existence of
physical items Documentary evidence recorded on
paper or other media Representations Analysis
Audit evidence - cont
Observed processes and existence of physical items e.g. Inventory of media at an offside
storage locationComputer room security in operationCash count
Audit evidence - cont
Documentary evidence recorded on paper or other media, can include: Results of data extractions Records of transactions Program listings Invoices Activity and control logs System development documentation
2/8/2010
22
Audit evidence - cont
Representations include: written and oral statements, written procedures and policies, system flowcharts
Audit evidence - cont Analysis includes:
Comparisons Simulations Calculations reasoning (synthesis)
Examples: Benchmarking of IS performance against other
organizations or past performance Comparison of error rates between applications,
transactions and users
Audit evidence and planning
When planning IS audit work, ISA should take into account: Audit evidence to be gathered Its use in meeting objectives Its reliability (source & method)
Reliability - determinants
Independence of provider of evidence Qualifications of the individual providing
the information or evidence Objectivity of the evidence Timing of evidence
2/8/2010
23
Reliability - cont
Independence of provider of evidence
Example:Corroborative evidence from an independent third party can be more reliable than evidence from organization being audited (e.g. Circularization of debtors, bank confirmation)
Reliability - contObjectivity of evidence:Objective evidence is much better than that requiring considerable judgment and interpretation Examples: Physical evidence is more reliable than representations
of an individual - ISAs cash count is direct, objective evidence.
However, an ISAs analysis of the efficiency of an application, based upon discussion with certain personnel, may not be objective audit evidence.
Quality and quantity of Evidence
Quality (competence) when it is both valid and relevant
Quantity - refers to sufficiency of audit evidence
Techniques for gathering evidence
Reviewing Information Systems organizational structures
Reviewing IS policies and procedures Interviewing appropriate personnel Observing processes and employee
performance
2/8/2010
24
Reviewing IS organizational structures
Separation/segregation of duties is a key general control.
Review structures to determine the level of controls they provide ISAs knowledge of general organizational controls is very important
Be aware of differences particularly in organization with cooperative distributed processing or end-user computing
Reviewing IS Policies & Procedures Review whether appropriate policies and procedures
are in place and whether personnel understand the implemented policies and procedures
Verify that management assumes responsibility for formulating, developing, documenting promulgating and controlling policies covering general aims and directives
Look for minimum level of documentation Review documentation and determine if it follows
organizations documentation standards Recognize differences in documentation e.g. for
computer Aided Software Engineering (CASE), prototyping, database specifications, file layout, self-documented program listings, documents will not be required or will be in automated form rather than on paper
Reviewing Information Systems Standards
IS auditor should understand the existing standards in place within the organization
Reviewing IS documentation standards
Understand the existing documentation in place
Minimum documentation may include: Systems development initiation documents (e.g. feasibility
study) Functional requirements and design specifications Test plans and reports Program and operations documents Program change logs and histories User manuals Operations manuals Security related documents (e.g. security plans, risk
assessments) QA reports
2/8/2010
25
Interviewing appropriate personnel
Organize interview in advance Follow a fixed outline Documented by interview notes Interview checklist or form is a good
approach Never be accusatory rather interviews be
discovery
Observing processes and employee performance
A key audit technique for many types of reviews
IS auditor should be unobtrusive while making observations
Document everything in sufficient detail to be able to present it as audit evidence at a later date
Interviewing & observing personnel in the performance of their duties
Actual functions allows auditor an opportunity to witness how policies and procedures are internalized
Actual processes / procedures allow ISA to gain evidence of compliance and observe deviations if any
Security awareness assist verify an individuals understanding and practice of preventive and detective security measures to safeguard the companys assets
Reporting relationships to ensure assigned responsibilities and adequate segregation of duties are being practiced
Compliance testing Tests of control designed to obtain audit evidence on
both the effectiveness of the controls and their operation during the audit period
Evidence gathering to determine organizations compliance with control procedures
Used where there is a trail of documentary evidence e.g. written authorization to implement a modified program
Broad objective: to provide reasonable assurance that a particular control on which the ISA plans to rely, is operating as perceived/intended
Attribute sampling compliance test used to check presence or absence of an attribute.
2/8/2010
26
Substantive testing Tests of detailed activities and transactions, or analytical
review tests, designed to obtain audit evidence on the completeness, accuracy or existence of those activities or transactions during the audit period
Evidence gathering that evaluate the integrity of individual transactions, data and other information
Provides evidence of the validity and propriety of the balances in the financial statements and the transactions that support these balances
Minimized if compliance testing reveal presence of adequate controls
Conversely if compliance testing reveals weaknesses in controls that raise doubts about the completeness, accuracy or validity of accounts, substantive testing can alleviate those doubts (variable sampling used)
Relationship between compliance and substantive testing
Review system to identify controls Test compliance to get reasonable assurance
that the controls are functioning Evaluate controls to determine reliance, nature
and extent of substantive tests Use substantive tests to validate data:
Test of balances and transactions Analytical review procedures
Relationship between compliance and substantive testing (cont..)
Sampling
Population consists of the entire group of items that need to be examined
Sample is a subset of population members Used to infer characteristics about a population,
based on the results of examining characteristics of a sample of the population
Sample must represent as closely as possible the characteristics of the whole population
2/8/2010
27
Why sampling
Ideal to examine the entire population
Considerations: Time Cost
General Sampling approaches
Statistical sampling uses objective method
Non-statistical (or Judgmental sampling) uses subjective judgment
Statistical sampling
Uses objective method to determine: Sample size Selection criteria Sample precision Reliability or confidence level
NB: to be a statistical sample, each item in the population should have an equal opportunity of being selected
Can infer population characteristics from sample Preferred method
Non-statistical or judgmental sampling
uses subjective judgment to determine:Method of sampling Sample size Sample selection which items to select
May not infer population characteristics from sample
not preferred method
2/8/2010
28
Sampling risk
Both statistical and judgmental sampling require ISA judgment
Risk that the auditor will draw the wrong conclusion from the sample
Statistical sampling allows ISA to quantify probability of error (confidence coefficient)
Methods of sampling Attribute sampling
Variable sampling
Attribute sampling
Selecting items with certain attributes or characteristics (all items over a certain size)
Also known as proportional sampling Deals with presence or absence of an
attribute or characteristic Generally used in compliance testing Conclusions expressed in rates of
incidence
Attribute sampling: types
Attribute sampling or fixed sample size attribute sampling or frequency estimation used to estimate rate of occurrence of specific quality in a population (how many?)
Stop-or-go sampling audit tests stopped at the earliest possible moment (relatively few errors)
Discovery sampling when expected occurrence is extremely low. Used to seek out fraud, circumvention of regulations and other irregularities
2/8/2010
29
Variable sampling
Used to estimate the average or total value of population based on a sample
Also known as- dollar estimation or - mean estimation sampling or - quantitative sampling
Used to estimate the dollar value or some other unit of measure such as weight, height etc.
Generally applied in substantive testing Provides conclusions related to deviations from norm Example is review of balances for material transactions
Variable sampling: Types
Stratified mean per unit Population divided into groups and samples drawn
from them Produces a smaller sample size
Un-stratified mean per unit: Sample mean is calculated and projected as an
estimated total Difference estimation:
Used to estimate total difference between audited values and book values (un-audited values) based on sample
Statistical sampling terms
Confidence coefficient (also referred to as confidence level or reliability factor)
Level of risk: one minus confidence coefficient Precision- acceptable range difference between the
sample and actual population (set by auditor) Expected error rate - EER Sample size Sample mean average size of the sample Sample standard deviation Tolerable error rate max no of errors that can exist
without an account being materially misstated Population standard deviation
Confidence coefficient
Also referred to as confidence level or reliability factor
The probability that the characteristics of the sample are a true representation of the population
95% considered a high degree of comfort If internal controls are strong, confidence
level may be lowered The greater the confidence coefficient, the
larger the sample
2/8/2010
30
Level of risk
One minus confidence coefficient E.g. if confidence coefficient is 95%
level of risk is 5%
Precision
Set by the ISA Represents acceptable range between sample
and population For attribute sampling stated as a percentage For variable sampling stated as a monetary
amount or number The higher the precision amount, the smaller
the sample size, the higher the risk of error The lower the precision amount, the greater
the sample size
Expected error rate
An estimate of errors that may exist Expressed as a percentage The greater the expected error rate, the
greater the sample size Applied to attribute sampling
Others
Sample mean average size of the sample Sample standard deviation measures spread
or dispersion of sample values Tolerable error rate - Maximum misstatement
or number of errors that can exist without an account being materially misstated
Population standard deviation measures relationship to standard deviation The greater the standard deviation, the larger the
sample size Applied to variable sampling
2/8/2010
31
Using the Services of other Auditors and Experts
Circumstances that may lead to using services of other auditors:- Scarcity of IS auditors and the need for IT security specialists Highly specialized areas
Outsourcing of IS assurance and security services is increasingly becoming a common practice
Possible areas of outsourcing include Networking, ATM, Wireless, System Integration etc.
Considerations before using services of other auditors and experts:- Any restriction by law and regulations Audit charter or contractual stipulations Impact on overall and specific IS audit objectives Impact on IS audit risk and professional liability Independence and objectivity of other auditors/experts Professional competence, qualifications and experience Scope of the work to be outsourced and the approach Supervisory and audit management control Methods and modalities of communication of audit results etc.
Using the Services of other Auditors and Experts (cont..)
Other special considerations would include:- Testimonials/references and background checks Access to systems, premises and records Confidentiality restrictions to protect customer related information Use of CAATs and other tools Standards and methodologies for performance of work and
documentation Nondisclosure agreements
IS auditor responsibilities:- Clearly communicating the audit objectives, scope and
methodology through a formal engagement letter Put in place monitoring process for regular review of the third
party work Assess usefulness and appropriateness of reports and impacts of
their significant findings on the overall audit objectives.
Computer Aided Audit Techniques (CAATs)
Any computer based tool for automating audit procedures
Provides a means to: gain access and to analyze data for a predetermined period report on audit findings with emphasis on reliability of
records produced and maintained in the system
CAATs Examples
These include: Generalized audit software e.g. ACL, IDEA Utility software e.g. DBMS report writers SQL commands Third party Access Control Software Application Systems Options and reports build into system Spreadsheets??
2/8/2010
32
Need for CAATs Evidence exists in electronic form Differences in HW, SW environments, data
structures, record formats, processing functions, etc
What else???
Functional capabilities of CAATs
File access reading different file structures and record formats
File reorganization indexing, sorting, merging, linking
Data selection filtration conditions, selection criteria
Statistical functions sampling, stratifications, frequency analysis
Arithmetic functions - arithmetic operators and functions
Generalized audit software
Provides an independent means to gain access to data for analysis
Effective and efficient use require understanding of its capabilities and limitations
Reads and accesses data from various DB platforms, flat file formats, ASCII formats
Features include: Mathematical computations Stratifications Statistical analysis Sequence checks Duplicate checks Re-computations
CAATs advantages
Reduced level of audit risk Enhances independence from auditee Broader and more consistent audit coverage Faster availability of information Improved exception identification Greater flexibility of run times Greater opportunity to quantify IC weaknesses Enhanced sampling Cost savings over time
2/8/2010
33
CAATs: Things to consider Cost benefit analysis Ease of use Training requirements Complexity of coding and maintenance Flexibility of uses Installation requirements Processing efficiencies Effort required to obtain source data into
CAAT
CAATs areas of concern
Integrity, reliability and security of CAAT Integrity of IS and security environment Confidentiality and security of data
CAATs things to do
Request read only access to production data
Keep data confidential
CAATs development documentation
Commented program listings Flowcharts Sample reports Record and file layouts Field definitions Operating instructions
2/8/2010
34
Practice Question
1-6 The PRIMARY use of generalized audit software (GAS) is to:
A. test controls embedded in programs. B. test unauthorized access to data. C. extract data of relevance to the audit.D. reduce the need for transaction vouching.
Evaluating evidence Involve judgments based on experience Use evidence gathered to assess compliance
with control objectives Assess strengths and weaknesses in controls
to determine if these are effective in meeting control objectives established in planning
Control matrix may be used to illustrate areas where controls may be weak or lacking
Always check for compensating controlsbefore reporting a control weakness
A control objective may be met by a number of controls
Judging materiality of findings
Key: judging what is significant to different levels of management
Requires judgment of potential effect of finding if corrective action is not taken
ISA decides what to discuss with auditee and what to report
Communicating Audit Results
ISAs are ultimately responsible to Senior Mgt and to the Audit Committee of the Board of Directors
Before communicating the results of an audit to Senior Mgt the ISA should discuss the findings with Mgt staff responsible for area audited
Presentation technique could include executive summary and visual presentation
2/8/2010
35
Audit Report Structure and Contents
Introduction including statement of audit objectives and scope and general statement on the nature and extent of audit procedures used during the audit
ISAs overall conclusion and opinion on the adequacy of controls and procedures examined during the audit
ISAs reservations or qualifications with respect to the audit Detailed audit findings and recommendation Limitation to audit Statement of IS guidelines followed
Management Actions to Implement Recommendations
ISA will not be effective if audits are performed, reports issued, but no follow-up in done to determine if management has taken appropriate corrective actions
ISA should have a follow-up program to determine if agreed corrective actions have been implemented
The timing of the follow-up will depend on criticality of the findings and would be subject to ISAs judgment
The results of the follow-up should be communicated to appropriate levels of management
Audit Documentation
Documentation should include, at a minimum, a record of: The planning and preparation of audit scope and
objectives The information system environment The audit program The audit steps performed and audit evidence
gathered Audit findings, conclusions and recommendations Any report issued as a result of the audit work Supervisory review
Control Self-Assessment (CSA)
A management technique that assures stakeholders, customers and other parties that the internal control system of the business is reliable
It ensures that employees are aware of the risks to the business and they conduct periodic reviews of controls
Methodology used to review key business objectives, risks involved in achieving the business objectives and internal controls designed to manage these business risks in a formal, documented and collaborative process.
In CSA mgt and working teams are directly involved in judging and monitoring the effectiveness of existing controls
2/8/2010
36
Control Self-Assessment (CSA)
CSA program can be implemented using various ways ranging from use of questionnaires to facilitated workshops
Primary objective is to leverage the Internal Audit function by shifting some of the control monitoring responsibilities to the functional areas.
A critical success factor (CSF) in CSA is to conduct a meeting with the business units representatives, including appropriate and relevant staff and management to identify the business units primary objectives, which is to determine the purpose of the business unit and supporting objectives
COBIT management guidelines provides generic sets of CSFs, KPIs, and KGIs for each process used in designing and monitoring CSA program
Control Self-Assessment (CSA)
Control Self-Assessment (CSA)
Benefits of CSA Early detection of risks More effective and improved internal controls Creation of cohesive teams through employee involvement Increased employee awareness of organizational objectives and
knowledge of risk and internal controls Increased communication between operational and top management Highly motivated employees Improved audit rating processes Reduction in control cost Assurance provided to stakeholders and customers Necessary assurance given to top management about adequacy of
internal controls, as required by the various regulatory agencies and laws e.g. Sarbanes-Oxley Act
Control Self-Assessment (CSA)
Disadvantages of CSA
It could be mistaken as an audit function replacement
It is regarded as an additional workload (e.g. one more report to be submitted to management)
Failure to act on improvement suggestions could damage employee morale.
Lack of motivation may limit effectiveness in the detection of weak controls
2/8/2010
37
Auditors Role in CSA
Auditors become Internal Control professionals and assessment facilitators
Auditors role enhanced when Audit Dept embark on CSA program
Auditors value becomes more evident when mgt takes responsibility and ownership for internal control systems under their authority through process improvements in their control structures and active monitoring
Technology Drivers for CSA Program
Combination of hardware and software to support CSA selection
Use of electronic meeting system and computer-supported decision aids to facilitate group decision making
In case of questionnaire approach, the same principle applies for the analysis and readjustment of the questionnaire
Traditional VS CSA Approach
In traditional approach the primary responsibility for analyzing and reporting on internal control and risk was assigned to auditors and, to a lesser extent, controller departments and outside consultants
This approach created and reinforced the notion that auditors and consultants, not management and work teams, are responsible for assessing and reporting on IC
The CSA approach emphasizes management and accountability over developing and monitoring IC of an organizations sensitive and critical business processes
EMERGING CHANGES IN THE IS AUDIT PROCESS
Areas that address changes in IS audit process in order to keep pace with innovations and technology include: Automated work papers, Integrated auditing, and Continuous auditing
2/8/2010
38
Automated Work Papers
Specialized applications are used in automating audit working papers (e.g. risk analysis, audit programs, results, test evidences, conclusions reports and other complimentary information)
Although auditors often use office automation packages such as word processors or spreadsheets, standard audit work paper packages are being implemented in audit departments and are proving useful and appropriate to help facilitate audit work
When automating work papers rules regarding integrity, confidentiality and availability of audit records should be applied that are equivalent to those required for hard copy.
Automated Work Papers
Minimum controls include but not limited to: Access to work papers Audit trails Automated features to provide and record approval Security and integrity controls regarding the OS, DB and
communication channels
Backup and restore procedures Encryption techniques to provide confidentiality
Integrated Auditing
A process whereby audit disciplines are combined to assess key internal controls over an operation, process or entity.
Integrated approach focuses on risk. Risk assessment aims to understand and identify risks arising from the entity and its environment
IT audit help understand and identify risks in information management, IT infrastructure, IT Governance and IT operations
Other audits seek to understand organizational environment, business risks and business controls
IT systems provide a first line of preventive and detective controls, and integrated audit depends on a sound assessment of their efficiency and effectiveness
Practice Question
1-7 Which of the following is MOST effective for implementing a control self-assessment (CSA) within business units?
A. Informal peer reviewsB. Facilitated workshopsC. Process flow narrativesD. Data flow diagrams
2/8/2010
39
Integrated Auditing cont Integrated audit process
involves: Identification of relevant key
controls Reviewing and obtaining an
understanding of the design of key controls
Testing that key controls are supported by the IT system
Testing that management controls operate effectively
A combined report or opinion on control risks, design and weaknesses
Continuous Auditing
A methodology that enables independent auditors to provide assurance on a subject matter using a series of auditors reports issued simultaneously with, or a short period of time after, the occurrence of events underlying the subject matter
Has edge over periodic auditing because it captures internal control problems as they occur, thus preventing negative effects
Implementation can reduce audit inefficiencies, such as delays, planning time, inefficiency of audit process itself, overheads due to work segmentation etc.
Continuous Auditing cont
Drivers of continuous auditing include; better monitoring of financial issues within a company, ensuring that real-time transactions also benefit from real-time monitoring, prevention of financial and audit scandals, e.g. Enron and WorldCom, and use of software to determine that financial controls are proper
Embedded audit modules allow an auditor to trap predefined types of events, or directly inspect abnormal transactions
Continuous auditing often incorporate new information technology development, increased processing capabilities of current hardware and software, standards and artificial intelligence tools
Continuous Auditing cont..
For continuous auditing to succeed there must be: A high degree of automation An automated and highly reliable process in producing
information about subject matter soon after occurrence of events underlying the subject matter
Alarm triggers to report timely control failures Implementation of highly automated audit tools that
require the IS auditor to be involved in setting up parameters
Quickly informing IS auditor of the results of automated audit procedures, particularly when the process has identified anomalies or errors
2/8/2010
40
Continuous Auditing cont..
For continuous auditing to succeed there must be (cont..): Quick and timely issuance of automated audit reports Technically proficient IS auditors Availability of reliable sources of audit evidence Adherence of materiality guidelines Evaluation of cost factors Change of mind-set required for IS auditors to embrace
continuous reporting
Continuous Auditing cont
IT techniques used in continuous auditing must work at all data levels, transaction and databases and include: Transaction logging Query tools Statistics and data analysis (CAAT) Database Management System (DBMS) Data warehouses, data marts, data mining Artificial intelligence (AI) Embedded audit modules (EAM) Neural network technology Standards such as Extensible Business Reporting Language (XBRL)
Advantages Instant capture of internal control problems Reduction of intrinsic audit inefficiencies
Disadvantages Difficulty in implementation High cost Elimination of auditors personal judgment and
evaluation
Continuous Auditing cont
Practice Question
1-8 The FIRST step in planning an audit is to:A. define audit deliverables. B. finalize the audit scope and audit objectives C. gain an understanding of the businesss
objectives.D. develop the audit approach or audit strategy.
2/8/2010
41
Practice Question
1-9 The approach an IS auditor should use to plan IS audit coverage should be based on:
A. risk.B. materiality.C. professional skepticism.D. detective control.
Practice Question
1-10 A company performs a daily backup of critical data and software files and stores the backup tapes at an offsite location. The backup tapes are used to restore the files in case of a disruption. This is a:
A. preventive control.B. management control.C. corrective control.D. detective control.