Chapter 1 The Process of Auditing Information Systems Chapter 1 - Tasks • Develop and implement a risk-based IS audit strategy in compliance with IT Audit Standards, to ensure that key areas are included. • Plan specific audits to determine whether information systems are protected, controlled and provided value to the organization. • Conduct audits in accordance with IT audit standards to achieve planned audit objectives. Tasks (continued) • Report audit findings and make recommendations to key stakeholders to communicate results and effect change when necessary. • Conduct follow-ups or prepare status reports to ensure that appropriate actions have been taken by management in a timely manner. Introduction • Audits are conducted for a variety of reasons. An audit can help an organization ensure effective operations, affirm its compliance with various regulations and confirm that the business is functioning well and is prepared to meet potential challenges. Introduction IS audit is the formal examination and/or testing of information systems to determine whether: • Information systems are in compliance with applicable laws, regulations, contracts and/or industry guidelines. • Information systems and related processes comply with governance criteria and related and relevant policies and procedures. • IS data and information have appropriate levels of confidentiality, integrity and availability Introduction • In general terms, the typical audit process consists of three major phases • Planning • Fieldwork/Documentation • Reporting/Follow-up ISACA Code of Professional Ethics ISACA (Information Systems Audit and Control Association) sets forth this Code of Professional Ethics to guide the professional and personal conduct of members of the association and/or its certification holders. Code of Professional Ethics 1. Support the implementation of and encourage compliance with, appropriate standards, procedures and controls for information systems. 2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices. 3. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession. Code of Professional Ethics 4. 5. 6. 7. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties. Maintain competency in their respective fields and agree to undertake only those activities that they can reasonably expect to complete with professional competence. Inform appropriate parties of the results of work performed, revealing all significant facts known to them. Support the professional education of stakeholders in enhancing their understanding of IS security and control. ISACA IS Auditing Standards Framework (continued) Objectives of the ISACA IS Auditing Standards: • • Inform management and other interested parties of the profession’s expectations concerning the work of audit practitioners Inform information system auditors of the minimum level of acceptable performance required to meet professional responsibilities set out in the ISACA Code of Professional Ethics ISACA IS Auditing Standards Framework (continued) S1 Audit Charter • covers the entire scope of audit activities in an entity • Purpose, responsibility, authority and accountability • Approval S2 Independence • Professional independence • Organizational independence ISACA IS Auditing Standards Framework (continued) S3 Professional Ethics and Standards • Code of Professional Ethics • Due professional care S4 Professional Competence • Skills and knowledge • Continuing professional education ISACA IS Auditing Standards Framework (continued) S5 Planning • Plan IS audit coverage • Develop and document a risk-based audit approach • Develop and document an audit plan • Develop an audit program and procedures ISACA IS Auditing Standards Framework (continued) S6 Performance of Audit Work • Supervision • Evidence • Documentation ISACA IS Auditing Standards Framework (continued) S7 Reporting • Identify the organization, intended recipients and any restrictions • State the scope, objectives, coverage and nature of audit work performed • State the findings, conclusions and recommendations and limitations • Justify the results reports through evidences • Be signed, dated and distributed according to the audit charter ISACA IS Auditing Standards Framework (continued) S8 Follow-up Activities • Review previous conclusions and recommendations • Review previous relevant findings • Determine whether appropriate actions have been taken by management in a timely manner ISACA IS Auditing Standards Framework (continued) S9 Irregularities and Illegal Acts • Consider the risk of irregularities and illegal acts • Maintain an attitude of professional skepticism • Obtain an understanding of the organization and its environment • Consider unusual or unexpected relationships • Test the appropriateness of internal control • Assess any misstatement ISACA IS Auditing Standards Framework (continued) S9 Irregularities and Illegal Acts (continued) • Obtain written representations from management • Have knowledge of any allegations of irregularities or illegal acts • Communicate material irregularities or illegal acts • Consider appropriate action in case of inability to continue performing the audit • Document irregularity- or illegal act-related communications, planning, results, evaluations and conclusions ISACA IS Auditing Standards Framework (continued) S10 IT Governance • Review and assess the IS function’s alignment with the organization’s mission, vision, values, objectives and strategies • Review the IS function’s statement about the performance and assess its achievement • Review and assess the effectiveness of IS resource and performance management processes ISACA IS Auditing Standards Framework (continued) S10 IT Governance (continued) • Review and assess compliance with legal, environmental and information quality, and fiduciary and security requirements • Use a risk-based approach to evaluate the IS function • Review and assess the organization’s control environment • Review and assess the risks that may adversely affect the IS environment ISACA IS Auditing Standards Framework (continued) S11 Use of Risk Assessment in Audit Planning • Use a risk assessment technique in developing the overall IS audit plan • Identify and assess relevant risks in planning individual reviews ISACA IS Auditing Standards Framework (continued) S12 Audit Materiality • The IS auditor should consider audit materiality and its relationship to audit risk • The IS auditor should consider potential weakness or absence of controls when planning for an audit • The IS auditor should consider the cumulative effect of minor control deficiencies or weaknesses • The IS audit report should disclose ineffective controls or absence of controls ISACA IS Auditing Standards Framework (continued) S13 Using the Work of Other Experts • The IS auditor should consider using the work of other experts • The IS auditor should be satisfied with the qualifications, competencies, etc., of other experts • The IS auditor should assess, review and evaluate the work of other experts to determine the extent of reliance. • The IS auditor should determine if the work of other experts is adequate and complete • The IS auditor should apply additional test procedures to gain sufficient and appropriate audit evidence • The IS auditor should provide appropriate audit opinion ISACA IS Auditing Standards Framework (continued) S14 Audit Evidence • Includes procedures performed by the auditor and results of those procedures • Includes source documents, records and corroborating information • Includes findings and results of the audit work • Demonstrates that the work was performed and complies with applicable laws, regulations and policies ISACA IS Auditing Standards Framework (continued) S15 IT Controls • Evaluate and monitor IT controls that are an integral part of the internal control environment of the organization. • IS Auditor should assist management by providing advice regarding the design, implementation, operation and improvement of IT controls. Standards Framework (continued) S16 E-Commerce • The IS auditor should evaluate applicable controls and assess risk when reviewing e-commerce environments to ensure that e-commerce transactions are properly controlled. ISACA IS Auditing Guidelines G1 – Using the Work of Other Auditors G2 – Audit Evidence Requirement G3 – Use of Computer Assisted Audit Techniques (CAATs) G4 – Outsourcing of IS Activities to Other Organizations G5 – Audit Charter G6 – Materiality Concepts for Auditing Information Systems G7 – Due Professional Care G8 – Audit Documentation G9 – Audit Considerations for Irregularities G10 – Audit Sampling ISACA IS Auditing Guidelines (continued) G11 – Effect of Pervasive IS Controls G12 – Organizational Relationship and Independence G13 – Use of Risk Assessment in Audit Planning G14 – Application Systems Review G15 – Planning G16 – Effect of Third Parties on Organization’s IT Controls G17 – Effect of Non-audit Role on IS Auditor’s Independence G18 – IT Governance G19 – Irregularities and Illegal Acts ISACA IS Auditing Guidelines (continued) G20 – Reporting G21 – Enterprise Resource Planning (ERP) Systems Review G22 – Business-to-consumer (B2C) E-commerce Review G23 – System Development Life Cycle (SDLC) Review G24 – Internet Banking G25 – Review of Virtual Private Networks G26 – Business Process Reengineering (BPR) Project Reviews G27 – Mobile Computing G28 – Computer Forensics G29 – Post-implementation Review ISACA IS Auditing Guidelines (continued) G30 – Competence G31 – Privacy G32 – Business Continuity Plan (BCP) Review From IT Perspective G33 – General Considerations on the Use of the Internet G34 – Responsibility, Authority and Accountability G35 – Follow-up Activities G36 – Biometric Controls G37 – Configuration Management G38 – Access Control G39 – IT Organizations G40 – Review of Security Management Practices G41 – Return on Security Investment (ROSI) G42 – Continuous Assurance ISACA IS Auditing Procedures • Procedures developed by the ISACA Standards Board provide examples of possible processes an IS auditor might follow in an audit engagement • The IS auditor should apply their own professional judgment to the specific circumstances ISACA IS Auditing Procedures (continued) P1 – IS Risk Assessment P2 – Digital Signatures P3 – Intrusion Detection P4 – Viruses and Other Malicious Code P5 – Control Risk Self-assessment P6 – Firewalls P7 – Irregularities and Illegal Acts P8 – Security Assessment—Penetration Testing and Vulnerability Analysis P9 – Evaluation of Management Controls Over Encryption Methodologies P10 – Business Application Change Control P11 – Electronic Funds Transfer (EFT) Relationship Among Standards, Guidelines and Procedures Standards • Must be followed by IS auditors Guidelines • Provide assistance on how to implement the standards Procedures • Provide examples for implementing the standards Risk Analysis • What is risk? • Elements of risk • Risk Analysis and audit planning (continued) Risk management process • Risk assessment • Risk mitigation • Risk reevaluation Internal Controls • Policies, procedures, practices and organizational structures implemented to reduce risks • Classification of internal controls - Preventive controls - Detective controls - Corrective controls Internal Control Objectives Internal control system • Internal accounting controls • Operational controls • Administrative controls Internal Control Objectives (continued) Internal control objectives • • • • • • • • • • Safeguarding of IT assets Compliance to corporate policies or legal requirements Input Authorization Accuracy and completeness of processing of data input/transactions Output Reliability of process Backup/recovery Efficiency and economy of operations Change management process for IT and related systems IS Control objectives (continued) • Safeguarding assets • Assuring the integrity of general operating system environments • Assuring the integrity of sensitive and critical application system environments through: – Authorization of the input – Accuracy and completeness of processing of transactions – Reliability of overall information processing activities – Accuracy, completeness and security of the output – Database integrity IS Control Objectives (continued) • Ensuring appropriate identification and authentication of users of IS resources • Ensuring the efficiency and effectiveness of operations • Complying with requirements, policies and procedures, and applicable laws • Developing business continuity and disaster recovery plans • Developing an incident response plan • Implementing effective change management procedures General Controls Apply to all areas of an organization and include policies and practices established by management to provide reasonable assurance that specific objectives will be achieved. General Controls (continued) • Internal accounting controls directed at accounting operations • Operational controls concerned with the day-to-day operations • Administrative controls concerned with operational efficiency and adherence to management policies • Organizational logical security policies and procedures • Overall policies for the design and use of documents and records • Procedures and features to ensure authorized access to assets • Physical security policies for all data centers IS Controls • Strategy and direction • General organization and management • Access to IT resources, including data and programs • Systems development methodologies and change control • Operations procedures • Systems programming and technical support functions IS Controls (continued) • Quality assurance procedures • Physical access controls • Business continuity/disaster recovery planning • Networks and communications • Database administration • Protection and detective mechanisms against internal and external attacks Classification of Audits • Financial audits • Operational audits • Integrated audits • Administrative audits • IS audits • Specialized audits • Forensic audits Audit Programs • Based on the scope and objective of the particular assignment • IS auditor’s perspectives: – Security (confidentiality, integrity and availability) – Quality (effectiveness, efficiency) – Fiduciary (compliance, reliability) – Service and capacity Audit Programs (continued) Procedures for Testing and Evaluating IS Controls • Use of generalized audit software to survey the contents of data files • Use of specialized software to assess the contents of operating system parameter files • Flow-charting techniques for documenting automated applications and business process • Use of audit reports available in operation systems • Documentation review • Observation Audit Methodology • A set of documented audit procedures designed to achieve planned audit objectives • Composed of: – Statement of scope – Statement of audit objectives – Statement of audit programs • Set up and approved by the audit management • Communicated to all audit staff Risk-based Auditing Audit Objectives Specific goals of the audit • Compliance with legal and regulatory requirements • Confidentiality • Integrity • Reliability • Availability Evidence It is a requirement that the auditor’s conclusions be based on sufficient, competent evidence: • Independence of the provider of the evidence • Qualification of the individual providing the information or evidence • Objectivity of the evidence • Timing of the evidence Evidence (continued) Techniques for gathering evidence: • Review IS organization structures • Review IS policies and procedures • Review IS standards • Review IS documentation • Interview appropriate personnel • Observe processes and employee performance Sampling General approaches to audit sampling: • Statistical sampling • Non-statistical sampling Computer-assisted Audit Techniques • CAATs enable IS auditors to gather information independently • CAATs include: – Generalized audit software (GAS) – Utility software – Debugging and scanning software – Test data – Application software tracing and mapping – Expert systems Computer-assisted Audit Techniques (continued) Documentation that should be retained: • • • • • • • • Online reports Commented program listings Flowcharts Sample reports Record and file layouts Field definitions Operating instructions Description of applicable source documents Computer-assisted Audit Techniques (continued) CAATs as a continuous online audit approach: • Improves audit efficiency • IS auditors must: – develop audit techniques for use with advanced computerized systems – be involved in the creation of advanced systems – make greater use of automated tools Communicating Audit Results • Exit interview – Correct facts – Realistic recommendations – Implementation dates for agreed recommendations • Presentation techniques – Executive summary – Visual presentation Audit Documentation Audit documentation includes: • Planning and preparation of the audit scope and objectives • Description on the scoped audit area • Audit program • Audit steps performed and evidence gathered • Other experts used • Audit findings, conclusions and recommendations Case Study A Scenario The IS auditor has been asked to perform preliminary work that will assess the readiness of the organization for a review to measure compliance with new regulatory requirements. These requirements are designed to ensure that management is taking an active role in setting up and maintaining a well-controlled environment and, accordingly, will assess management’s review and testing of the general IT control environment. Areas to be assessed include logical and physical security, change management, production control and network management, IT governance, and end-user computing. The IS auditor has been given six months to perform this preliminary work, so sufficient time should be available. It should be noted that in previous years, repeated problems have been identified in the areas of logical security and change management, so these areas will most likely require some degree of remediation. Case Study A Scenario (continued) Logical security deficiencies noted included the sharing of administrator accounts and failure to enforce adequate controls over passwords. Change management deficiencies included improper segregation of incompatible duties and failure to document all changes. Additionally, the process for deploying operating system updates to servers was found to be only partially effective. In anticipation of the work to be performed by the IS auditor, the chief information officer (CIO) requested direct reports to develop narratives and process flows describing the major activities for which IT is responsible. These were completed, approved by the various process owners and the CIO, and then forwarded to the IS auditor for examination. Case Study A Question 1. What should the IS auditor do FIRST? A. Perform an IT risk assessment. B. Perform a survey audit of logical access controls. C. Revise the audit plan to focus on risk-based auditing. D. Begin testing controls that the IS auditor feels are most critical. Case Study A Question 2. When testing program change management, how should the sample be selected? A. B. C. D. Change management documents should be selected at random and examined for appropriateness. Changes to production code should be sampled and traced to appropriate authorizing documentation. Change management documents should be selected based on system criticality and examined for appropriateness. Changes to production code should be sampled and traced back to system-produced logs indicating the date and time of the change. Case Study B Scenario An IS auditor is planning to review the security of a financial application for a large company with several locations worldwide. The application system is made up of a web interface, a business logic layer and a database layer. The application is accessed locally through a LAN and remotely through the Internet via a VPN connection. Case Study B Question 1. The MOST appropriate type of CAATs tool the auditor should use to test security configuration settings for the entire application system is: A. B. C. D. generalized audit software. test data. utility software. expert system. Case Study B Question 2. Given that the application is accessed through the Internet, how should the auditor determine whether to perform a detailed review of the firewall rules and virtual private network (VPN) configuration settings? A. B. C. D. Documented risk analysis Availability of technical expertise Approach used in previous audit IS auditing guidelines and best practices Case Study B Question 3. During the review, if the auditor detects that the transaction authorization control objective cannot be met due to a lack of clearly defined roles and privileges in the application, the auditor should FIRST: A. review the authorization on a sample of transactions. B. immediately report this finding to upper management. C. request that auditee management review the appropriateness of access rights for all users. D. use a generalized audit software to check the integrity of the database. Case Study C Scenario An IS auditor has been appointed to carry out IS audits in an entity for a period of 2 years. After accepting the appointment, the IS auditor noted that: • • The entity has an audit charter that detailed, among other things, the scope and responsibilities of the IS audit function and specifies the audit committee as the overseeing body for audit activity. The entity is planning a major increase in IT investment, mainly on account of implementation of a new ERP application, integrating business processes across units dispersed geographically. The ERP implementation is expected to become operational within the next 90 days. The servers supporting the business applications are hosted offsite by a third-party service provider. Case Study C Scenario (continued) • The entity has a new incumbent as chief information security officer (CISO), who reports to the chief financial officer (CFO). • The entity is subject to regulatory compliance requirements that require its management to certify the effectiveness of the internal control system as it relates to financial reporting. The entity has been recording growth at double the industry average consistently over the last two years. However, the entity has seen increased employee turnover as well. Case Study C Question 1. The FIRST priority of the IS auditor in year 1 should be to study the: A. previous IS audit reports and plan the audit schedule. B. audit charter and plan the audit schedule. C. impact of the new incumbent as CISO. D. impact of the implementation of a new ERP on the IT environment and plan the audit schedule. Case Study C Question 2. How should the IS auditor evaluate backup and batch processing within computer operations? A. Plan and carry out an independent review of computer operations. B. Rely on the service auditor’s report of the service provider. C. Study the contract between the entity and the service provider. D. Compare the service delivery report to the service level agreement. Practice Question 1-1 Which of the following BEST describes the early stages of an IS audit? A. Observing key organizational facilities B. Assessing the IS environment C. Understanding the business process and environment applicable to the review D. Reviewing prior IS audit reports Practice Question 1-2 In performing a risk-based audit, which risk assessment is completed initially by the IS auditor? A. B. C. D. Detection risk assessment Control risk assessment Inherent risk assessment Fraud risk assessment Practice Question 1-3 While developing a risk-based audit program, on which of the following would the IS auditor MOST likely focus? A. B. C. D. Business processes Critical IT applications Operational controls Business strategies Practice Question 1-4 Which of the following types of audit risk assumes an absence of compensating controls in the area being reviewed? A. B. C. D. Control risk Detection risk Inherent risk Sampling risk Practice Question 1-5 An IS auditor performing a review of an application’s controls finds a weakness in system software that could materially impact the application. The IS auditor should: A. B. C. D. disregard these control weaknesses, as a system software review is beyond the scope of this review. conduct a detailed system software review and report the control weaknesses. include in the report a statement that the audit was limited to a review of the application’s controls. review the system software controls as relevant and recommend a detailed system software review. Practice Question 1-6 The PRIMARY use of generalized audit software (GAS) is to: A. B. C. D. test controls embedded in programs. test unauthorized access to data. extract data of relevance to the audit. reduce the need for transaction vouching. Practice Question 1-7 Which of the following is MOST effective for implementing a control self-assessment (CSA) within business units? A. B. C. D. Informal peer reviews Facilitated workshops Process flow narratives Data flow diagrams Practice Question 1-8 The FIRST step in planning an audit is to: A. B. C. D. define audit deliverables. finalize the audit scope and audit objectives gain an understanding of the business’s objectives. develop the audit approach or audit strategy. Practice Question 1-9 The approach an IS auditor should use to plan IS audit coverage should be based on: A. risk. B. materiality. C. professional skepticism. D. detective control. Practice Question 1-10 A company performs a daily backup of critical data and software files and stores the backup tapes at an offsite location. The backup tapes are used to restore the files in case of a disruption. This is a: A. preventive control. B. management control. C. corrective control. D. detective control.
