ISACA®
TRUST IN, AND VALUE FROM,
INFORMATION SYSTEMS
2012 CISA Review Course
CHAPTER 1
THE PROCESS OF AUDITING
INFORMATION SYSTEMS
Course Agenda
• Learning Objectives
• Discuss Task and Knowledge Statements
• Discuss specific topics within the chapter
• Case studies
• Sample questions
Exam Relevance
Ensure that the CISA candidate…
Has the knowledge necessary to provide audit services in accordance with IT audit
standards to assist the organization with protecting and controlling information
systems
The content area in this chapter
will represent approximately 14% of
the CISA examination
(approximately 28 questions).
Chapter 1 Learning Objectives
• Develop and implement a risk-based IT audit
strategy in compliance with IT audit standards
to ensure that key areas are included
• Plan specific audits to determine whether
information systems are protected, controlled
and provide value to the organization
• Conduct audits in accordance with IT audit
standards to achieve planned audit objectives
Learning Objectives
(continued)
• Report audit findings and make
recommendations to key stakeholders to
communicate results and effect change when
necessary
• Conduct follow-ups or prepare status reports to
ensure appropriate actions have been taken by
management in a timely manner
1.2.1 Organization of the IS
Audit Function
• Audit charter (or engagement letter)
– Stating management’s responsibility and objectives
for, and delegation of authority to, the IS audit
function
– Outlining the overall authority, scope and
responsibilities of the audit function
• Approval of the audit charter
• Change in the audit charter
1.2.2 IS Audit Resource
Management
• Limited number of IS auditors
• Maintenance of their technical competence
• Assignment of audit staff
1.2.3 Audit Planning
Short-term planning
Individual Audit Planning
Long-term planning
Understanding of overall
environment
Things to consider
• Business practices and functions
• New control issues
• Information systems and technology
• Changing technologies
• Changing business processes
• Enhanced evaluation techniques
1.2.3 Audit Planning (continued)
Audit planning steps
• Gain an understanding of the business’s mission,
objectives, purpose and processes
• Identify stated contents (policies, standards,
guidelines, procedures, and organization structure)
• Evaluate risk assessment and privacy impact
analysis
• Perform a risk analysis
1.2.3 Audit Planning (continued)
Audit planning steps (continued)
• Conduct an internal control review
• Set the audit scope and audit objectives
• Develop the audit approach or audit strategy
• Assign personnel resources to audit and address
engagement logistics
1.2.4 Effect of Laws and Regulations on
IS Audit Planning
Regulatory requirements
• Establishment
• Organization
• Responsibilities
• Correlation to financial, operational and IT audit
functions
1.2.4 Effect of Laws and Regulations on
IS Audit Planning (continued)
Steps to determine compliance with external
requirements:
• Identify external requirements
• Document pertinent laws and regulations
• Assess whether management and the IS function
have considered the relevant external requirements
• Review internal IS department documents that
address adherence to applicable laws
• Determine adherence to established procedures
1.3.1 ISACA Code of
Professional Ethics
The Association’s Code of Professional Ethics
provides guidance for the professional and
personal conduct of members of ISACA and/or
holders of the CISA and CISM designation.
1.3.2 ISACA IT Audit and
Assurance Standards Framework
Framework for the ISACA IS Auditing
Standards:
• Standards
• Guidelines
• Procedures
1.3.2 ISACA IT Audit and Assurance
Standards Framework (continued)
Objectives of the ISACA IT Audit and
Assurance Standards:
• Inform management and other interested parties of
the profession’s expectations concerning the work
of audit practitioners
• Inform information system auditors of the minimum
level of acceptable performance required to meet
professional responsibilities set out in the ISACA
Code of Professional Ethics
1.3.2 ISACA IT Audit and Assurance
Standards Framework (continued)
S1 - Audit Charter
S2 - Independence
S3 - Ethics and Standards
S4 - Competence
S5 - Planning
S6 - Performance of Audit Work
S7 - Reporting
S8 - Follow-up Activities
1.3.2 ISACA IT Audit and Assurance
Standards Framework (continued)
S9 - Irregularities and illegal acts
S10 - IT governance
S11 - Use of risk assessment in audit planning
S12 - Audit Materiality
S13 - Using the Work of Other Experts
S14 - Audit Evidence
S15 - IT Controls
S16 - E-commerce
1.3.2 ISACA IT Audit and Assurance
Standards Framework (continued)
S1 - Audit
Charter
S2 Independence
• Purpose, responsibility, authority
and accountability
• Approval
• Professional independence
• Organizational independence
1.3.2 ISACA IT Audit and Assurance
Standards Framework (continued)
S3 Professional
Ethics and
Standards
• Code of Professional Ethics
• Due professional care
S4 Competence
• Skills and knowledge
• Continuing professional education
1.3.2 ISACA IT Audit and Assurance
Standards Framework (continued)
S5 - Planning
• Plan IS audit coverage
• Develop and document a risk-based
audit approach
• Develop and document an audit plan
• Develop an audit program and
procedures
S6 Performance
of Audit
Work
• Supervision
• Evidence
• Documentation
1.3.2 ISACA IT Audit and Assurance
Standards Framework (continued)
S7 Reporting
• Identify the organization, intended
recipients and any restrictions
• State the scope, objectives,
coverage and nature of audit work
performed
• State the findings, conclusions and
recommendations and limitations
• Justify the results reports
• Be signed, dated and distributed
according to the audit charter
1.3.2 ISACA IT Audit and Assurance
Standards Framework (continued)
S8 - Followup Activities
• Review previous conclusions and
recommendations
• Review previous relevant findings
• Determine whether appropriate
actions have been taken by
management in a timely manner
1.3.2 ISACA IT Audit and Assurance
Standards Framework (continued)
S9 Irregularities
and Illegal
Acts
• Consider the risk of irregularities
and illegal acts
• Maintain an attitude of
professional skepticism
• Obtain an understanding of the
organization and its environment
• Consider unusual or unexpected
relationships
• Test the appropriateness of
internal control
• Assess any misstatement
1.3.2 ISACA IT Audit and Assurance
Standards Framework (continued)
S9 Irregularities
and Illegal
Acts
(continued)
• Obtain written representations from
management
• Have knowledge of any allegations of
irregularities or illegal acts
• Communicate material irregularities or
illegal acts
• Consider appropriate action in case of
inability to continue performing the audit
• Document irregularity- or illegal actrelated communications, planning, results,
evaluations and conclusions
1.3.2 ISACA IT Audit and Assurance
Standards Framework (continued)
S10 - IT
Governance
• Review and assess the IS function’s
alignment with the organization’s
mission, vision, values, objectives
and strategies
• Review the IS function’s statement
about the performance and assess its
achievement
• Review and assess the effectiveness
of IS resource and performance
management processes
1.3.2 ISACA IT Audit and Assurance
Standards Framework (continued)
S10 - IT
Governance
(continued)
• Review and assess compliance with
legal, environmental and information
quality, and fiduciary and security
requirements
• Use a risk-based approach to
evaluate the IS function
• Review and assess the organization’s
control environment
• Review and assess the risks that may
adversely affect the IS environment
1.3.2 ISACA IT Audit and Assurance
Standards Framework (continued)
S11 - Use of
Risk
Assessment
in Audit
• Planning
• Use a risk assessment technique
in developing the overall IS audit
plan
• Identify and assess relevant risks
in planning individual reviews
1.3.2 ISACA IT Audit and Assurance
Standards Framework (continued)
S12 – Audit
Materiality
• The IS auditor should consider
audit materiality and its relationship
to audit risk
• The IS auditor should consider
potential weakness or absence of
controls when planning for an audit
• The IS auditor should consider the
cumulative effect of minor control
deficiencies or weaknesses
• The IS audit report should disclose
ineffective controls or absence of
controls
1.3.2 ISACA IT Audit and Assurance
Standards Framework (continued)
S13 - Using
the Work of
Other
Experts
• The IS auditor should consider using the work of
other experts
• The IS auditor should be satisfied with the
qualifications, competencies, etc., of other experts
• The IS auditor should assess, review and evaluate
the work of other experts
• The IS auditor should determine if the work of
other experts is adequate and complete
• The IS auditor should apply additional test
procedures to gain sufficient and appropriate audit
evidence
• The IS auditor should provide appropriate audit
opinion
1.3.2 ISACA IT Audit and Assurance
Standards Framework (continued)
S14 -Audit
Evidence
• Includes procedures performed by
the auditor and results of those
procedures
• Includes source documents,
records and corroborating
information
• Includes findings and results of the
audit work
• Demonstrates that the work was
performed and complies with
applicable laws, regulations and
policies
1.3.2 ISACA IT Audit and Assurance
Standards Framework (continued)
S15 - IT
Controls
• The IS auditor should evaluate
and monitor IT controls that are an
integral part of the internal control
environment of the organization.
S16 - Ecommerce
• The IS Auditor should evaluate
applicable controls and assess risk
when reviewing e-commerce
environments to ensure that ecommerce transactions are properly
controlled.
1.3.3 ISACA IT Audit and
Assurance Guidelines
G1 Using the Work of Other Auditors, effective 1 June 1998
G2 Audit Evidence Requirement, effective 1 December 1998
G3
Use of Computer Assisted Audit Techniques (CAATs), effective 1
December 1998
G4
Outsourcing of IS Activities to Other Organizations, effective 1 September
1999
G5 Audit Charter, effective 1 September 1999
G6
Materiality Concepts for Auditing Information Systems, effective 1
September 1999
G7 Due Professional Care, effective 1 September 1999
G8 Audit Documentation, effective 1 September 1999
1.3.3 ISACA IS Auditing
Guidelines (continued)
G9 Audit Considerations for Irregularities, effective 1 March 2000
G10 Audit Sampling, effective 1 March 2000
G11 Effect of Pervasive IS Controls, effective 1 March 2000
G12 Organizational Relationship and Independence, effective September 2000
G13 Use of Risk Assessment in Audit Planning, effective 1 September 2000
G14 Application Systems Review, effective 1 November 2001
G15 Planning Revised, effective 1 March 2002
G16
Effect of Third Parties on an Organization’s IT Controls, effective 1 March
2002
G17
Effect of Non-audit Role on the IS Auditor’s Independence, effective 1 July
2002
1.3.3 ISACA IS Auditing
Guidelines (continued)
G18 IT Governance, effective 1 July 2002
G19 Irregularities and Illegal Acts, effective 1 July 2002
G20 Reporting, effective 1 January 2003
G21
Enterprise Resource Planning (ERP)Systems Review, effective 1 August
2003
G22 Business-to-consumer (B2C) E-commerce Review, effective 1 August 2003
G23 System Development Life Cycle (SDLC) Review, effective 1 August 2003
G24 Internet Banking, effective 1 August 2003
G25 Review of Virtual Private Networks, effective 1 July 2004
G26
Business Process Reengineering (BPR) Project Reviews, effective 1 July
2004
1.3.3 ISACA IS Auditing
Guidelines (continued)
G27 Mobile Computing, effective 1 September 2004
G28 Computer Forensics, effective 1 September 2004
G29 Post-implementation Review, effective 1 January 2005
G30 Competence, effective 1 June 2005
G31 Privacy, effective 1 June 2005
G32
Business Continuity Plan (BCP) Review From IT Perspective, effective 1
September 2005
G33 General Considerations on the Use of the Internet, effective 1 March 2006
G34 Responsibility, Authority and Accountability, effective 1 March 2006
1.3.3 ISACA IS Auditing
Guidelines (continued)
G35 Follow-up Activities, effective 1 March 2006
G36 Biometric Controls, effective 1 March 2007
G37 Configuration Management, effective 1 November 2007
G38 Access Control, effective 1 February 2008
G39 IT Organizations, effective 1 May 2008
G40
Review of Security Management Practices, effective 1
October 2008
G41 Return on Security Investment (ROSI), effective 1 May 2010
G42 Continuous Assurance, effective 1 May 2010
1.3.4 ISACA IT Audit and Assurance
Tools and Techniques
• Procedures developed by the ISACA Standards
Board provide examples of possible processes
an IS auditor might follow in an audit
engagement
• The IS auditor should apply their own
professional judgment to the specific
circumstances
1.3.4 ISACA IT Audit and Assurance
Tools and Techniques
P1 – IS Risk Assessment, effective 1 July 2002
P2 – Digital Signatures, effective 1 July 2002
P3 – Intrusion Detection, effective 1 August 2003
P4 – Viruses and Other Malicious Code, effective 1 August 2003
P5 – Control Risk Self-assessment, effective 1 August 2003
P6 – Firewalls, effective 1 August 2003
P7 – Irregularities and Illegal Acts, effective 1 November 2003
P8 – Security Assessment—Penetration Testing and Vulnerability Analysis,
effective 1 September 2004
P9 – Evaluation of Management Controls Over Encryption Methodologies,
effective 1 January 2005
P10 – Business Application Change Control, effective 1 October 2006
P11 – Electronic Funds Transfer (EFT), effective 1 May 2007
1.3.5 Relationship Among Standards,
Guidelines and Tools and
Techniques
Standards
• Must be followed by IS auditors
Guidelines
• Provide assistance on how to implement the
standards
Tools and Techniques
• Provide examples for implementing the standards
1.3.6 Information Technology
Assurance Framework (ITAF™)
Section 2200 – General Standards
Section 2400 – Performance Standards
Section 2600 – Reporting Standards
Section 3000 – IT Assurance Guidelines
Section 3200 – Enterprise Topics
Section 3400 – IT Management Process
Section 3600 – IT Audit and Assurance Guidelines
Section 3800 – IT Audit and Assurance
Management
1.4 Risk Analysis
From the IS auditor’s perspective, risk analysis
serves more than one purpose:
• It assists the IS auditor in identifying risks and threats
to an IT environment and IS system—risks and
threats that would need to be addressed by
management—and in identifying system specific
internal controls. Depending on the level of risk, this
assists the IS auditor in selecting certain areas to
examine.
1.4 Risk Analysis
• It helps the IS auditor in his/her evaluation of controls
in audit planning.
• It assists the IS auditor in determining audit
objectives.
• It supports risk-based audit decision making.
• Part of audit planning
• Helps identify risks and vulnerabilities
• The IS auditor can determine the controls needed to
mitigate those risks
1.4 Risk Analysis
IS auditors must be able to:
• Be able to identify and differentiate risk types and the
controls used to mitigate these risks
• Have knowledge of common business risks, related
technology risks and relevant controls
• Be able to evaluate the risk assessment and
management techniques used by business managers,
and to make assessments of risk to help focus and
plan audit work
• Have an understand that risk exists within the audit
process
1.4 Risk Analysis
In analyzing the business risks arising from the use
of IT, it is important for the IS auditor to have a clear
understanding of:
• The purpose and nature of business, the environment in which the
business operates and related business risks
• The dependence on technology and related dependencies that
process and deliver business information
• The business risks of using IT and related dependencies and how
they impact the achievement of the business goals and objectives
• A good overview of the business processes and the impact of IT
and related risks on the business process objectives
1.4 Risk Analysis (continued)
1.5 Internal Controls
Policies, procedures, practices and organizational
structures implemented to reduce risks
• Classification of internal controls
–
Preventive controls
–
Detective controls
–
Corrective controls
1.5 Internal Controls (continued)
1.5.1 Internal Control
Objectives
Internal control system
• Internal accounting controls
• Operational controls
• Administrative controls
1.5.1 Internal Control
Objectives (continued)
Internal control objectives
• Safeguarding of IT assets
• Compliance to corporate policies or legal requirements
• Input
• Authorization
• Accuracy and completeness of processing of data input/transactions
• Output
• Reliability of process
• Backup/recovery
• Efficiency and economy of operations
• Change management process for IT and related systems
1.5.2 IS Control Objectives
Internal control objectives apply to all areas,
whether manual or automated. Therefore,
conceptually, control objectives in an IS
environment remain unchanged from those of a
manual environment.
1.5.2 IS Control Objectives
(continued)
• Safeguarding assets
• Assuring the integrity of general operating system
environments
• Assuring the integrity of sensitive and critical application
system environments through:
– Authorization of the input
– Accuracy and completeness of processing of transactions
– Reliability of overall information processing activities
– Accuracy, completeness and security of the output
– Database integrity
1.5.2 IS Control Objectives
(continued)
• Ensuring appropriate identification and authentication of
users of IS resources
• Ensuring the efficiency and effectiveness of operations
• Complying with requirements, policies and procedures,
and applicable laws
• Developing business continuity and disaster recovery
plans
• Developing an incident response plan
• Implementing effective change management procedures
1.5.3 COBIT
• A framework with 34 IT processes
– Plan and organize
– Acquire and implement
– Deliver and support
– Monitor and evaluate
1.5.4 General Controls
Apply to all areas of an organization and include
policies and practices established by
management to provide reasonable assurance
that specific objectives will be achieved.
• Internal accounting controls directed at
accounting operations
– Operational controls concerned with the day-to-day
operations
1.5.4 General Controls (continued)
– Administrative controls concerned with operational
efficiency and adherence to management policies
– Organizational logical security policies and
procedures
– Overall policies for the design and use of
documents and records
– Procedures and features to ensure authorized
access to assets
– Physical security policies for all data centers
1.5.5 IS Controls
• Strategy and direction
• General organization and management
• Access to IT resources, including data and
programs
• Systems development methodologies and change
control
• Operations procedures
• Systems programming and technical support
functions
1.5.5 IS Controls (continued)
• Quality assurance procedures
• Physical access controls
• Business continuity/disaster recovery planning
• Networks and communications
• Database administration
• Protection and detective mechanisms against
internal and external attacks
1.6 Performing an IS Audit
Definition of auditing
Systematic process by which a competent, independent
person objectively obtains and evaluates evidence regarding
assertions about an economic entity or event for the purpose
of forming an opinion about and reporting on the degree to
which the assertion conforms to an identified set of standards.
Definition of IS auditing
Any audit that encompasses review and evaluation (wholly or
partly) of automated information processing systems, related
non-automated processes and the interfaces between them.
1.6.1 Classification of Audits
• Financial audits
• Operational audits
• Integrated audits
• Administrative audits
• IS audits
• Specialized audits
• Forensic audits
1.6.2 Audit Programs
• Based on the scope and objective of the
particular assignment
• IS auditor’s perspectives:
– Security (confidentiality, integrity and availability)
– Quality (effectiveness, efficiency)
– Fiduciary (compliance, reliability)
– Service and capacity
1.6.2 Audit Programs (continued)
General audit procedures
• Understanding of the audit area/subject
• Risk assessment and general audit plan
• Detailed audit planning
• Preliminary review of audit area/subject
• Evaluating audit area/subject
• Verifying and evaluating controls
• Compliance testing
• Substantive testing
• Reporting (communicating results)
• Follow-up
1.6.2 Audit Programs (continued)
Procedures for Testing and Evaluating IS Controls
• Use of generalized audit software to survey the contents of
data files
• Use of specialized software to assess the contents of
operating system parameter files
• Flow-charting techniques for documenting automated
applications and business process
• Use of audit reports available in operation systems
• Documentation review
• Observation
1.6.3 Audit Methodology
A set of documented audit procedures designed to
achieve planned audit objectives
• Composed of:
– Statement of scope
– Statement of audit objectives
– Statement of audit programs
• Set up and approved by the audit management
• Communicated to all audit staff
1.6.3 Audit Methodology
(continued)
Audit phases
•
•
•
•
•
•
•
•
Audit subject
Audit objective
Audit scope
Pre-audit planning
Audit procedures and steps for data gathering
Procedures for evaluating the test or review results
Procedures for communication with management
Audit report preparation
1.6.3 Audit Methodology
(continued)
1.6.3 Audit Methodology
(continued)
What is documented in workpapers (WPs)?
• Audit plans
• Audit programs
• Audit activities
• Audit tests
• Audit findings and incidents
Practice Question
1-1
Which of the following outlines the overall
authority to perform an IS audit?
A.
The audit scope, with goals and objectives
B.
A request from management to perform an audit
C.
The approved audit charter
D. The approved audit schedule
1.6.4 Fraud Detection
• Management’s responsibility
• Benefits of a well-designed internal control
system
– Deterring fraud at the first instance
– Detecting fraud in a timely manner
• Fraud detection and disclosure
• Auditor’s role in fraud prevention and detection
1.6.5 Risk-based Auditing
Practice Question
1-2
In performing a risk-based audit, which risk
assessment is completed initially by the IS
auditor?
A.
Detection risk assessment
B.
Control risk assessment
C.
Inherent risk assessment
D.
Fraud risk assessment
Practice Question
1-3
While developing a risk-based audit program, on
which of the following would the IS auditor MOST
likely focus?
A.
Business processes
B.
Critical IT applications
C.
Operational controls
D.
Business strategies
1.6.6 Audit Risk and Materiality
Audit risk categories
• Inherent risk
• Control risk
• Detection risk
• Overall audit risk
Practice Question
1-4
Which of the following types of audit risk
assumes an absence of compensating controls in the
area being reviewed?
A.
Control risk
B.
Detection risk
C.
Inherent risk
D.
Sampling risk
Practice Question
1-5
An IS auditor performing a review of an application’s
controls finds a weakness in system software that
could materially impact the application. The IS auditor
should:
A.
disregard these control weaknesses, as a system
software review is beyond the scope of this review.
B.
conduct a detailed system software review and report
the control weaknesses.
C.
include in the report a statement that the audit was
limited to a review of the application’s controls.
D.
review the system software controls as relevant and
recommend a detailed system software review.
1.6.7 Risk Assessment and
Treatment
Assessing security risks
• Risk assessments should identify, quantify and
prioritize risks against criteria for risk acceptance
and objectives relevant to the organization
• Should be performed periodically to address
changes in the environment, security requirements
and when significant changes occur
1.6.7 Risk Assessment and
Treatment (continued)
Treating security risks
• Each risk identified in a risk assessment needs to
be treated
• Controls should be selected to ensure that risks
are reduced to an acceptable level
1.6.8 Risk Assessment
Techniques
• Enables management to effectively allocate limited
audit resources
• Ensures that relevant information has been
obtained from all levels of management
• Establishes a basis for effectively managing the
audit department
• Provides a summary of how the individual audit
subject is related to the overall organization as well
as to the business plan
1.6.9 Audit Objectives
Specific goals of the audit
• Compliance with legal and regulatory
requirements
• Confidentiality
• Integrity
• Reliability
• Availability
1.6.10 Compliance vs.
Substantive Testing
• Compliance test
– Determines whether controls are in compliance
with management policies and procedures
• Substantive test
– Tests the integrity of actual processing
• Correlation between the level of internal controls
and substantive testing required
• Relationship between compliance and substantive
tests
1.6.10 Compliance vs.
Substantive Testing (continued)
1.6.11 Evidence
It is a requirement that the auditor’s
conclusions be based on sufficient,
competent evidence:
• Independence of the provider of the evidence
• Qualification of the individual providing the
information or evidence
• Objectivity of the evidence
• Timing of the evidence
1.6.11 Evidence (continued)
Techniques for gathering evidence:
•
Review IS organization structures
•
Review IS policies and procedures
•
Review IS standards
•
Review IS documentation
•
Interview appropriate personnel
•
Observe processes and employee
performance
1.6.12 Interviewing and Observing
Personnel in Performance of Their
Duties
• Actual functions
• Actual processes/procedures
• Security awareness
• Reporting relationships
1.6.13 Sampling
General approaches to audit sampling:
• Statistical sampling
• Non-statistical sampling
1.6.13 Sampling (continued)
• Attribute sampling
– Stop-or-go sampling
– Discovery sampling
• Variable sampling
– Stratified mean per unit
– Unstratified mean per unit
– Difference estimation
1.6.13 Sampling (continued)
Statistical sampling terms:
• Confident coefficient
• Level of risk
• Precision
• Expected error rate
1.6.13 Sampling (continued)
Statistical sampling terms (continued):
• Sample mean
• Sample standard deviation
• Tolerable error rate
• Population standard deviation
1.6.13 Sampling (continued)
Key steps in choosing a sample:
• Determine the objectives of the test
• Define the population to be sampled
• Determine the sampling method, such as
attribute versus variable sampling
• Calculate the sample size
• Select the sample
• Evaluating the sample from an audit perspective
1.6.14 Using the Services of
Other Auditors and Experts
Considerations when using services of other
auditors and experts:
• Restrictions on outsourcing of audit/security
services provided by laws and regulations
• Audit charter or contractual stipulations
• Impact on overall and specific IS audit objectives
• Impact on IS audit risk and professional liability
• Independence and objectivity of other auditors
and experts
1.6.14 Using the Services of
Other Auditors and Experts (cont’d)
Considerations when using services of other
auditors and experts:
• Professional competence, qualifications and experience
• Scope of work proposed to be outsourced and approach
• Supervisory and audit management controls
• Method and modalities of communication of results of
audit work
• Compliance with legal and regulatory stipulations
• Compliance with applicable professional standards
1.6.15 Computer-assisted
Audit Techniques
• CAATs enable IS auditors to gather information
independently
• CAATs include:
– Generalized audit software (GAS)
– Utility software
– Debugging and scanning software
– Test data
– Application software tracing and mapping
– Expert systems
1.6.15 Computer-assisted
Audit Techniques (continued)
• Features of generalized audit software (GAS):
–
–
–
–
Mathematical computations
Stratification
Statistical analysis
Sequence checking
• Functions supported by GAS:
–
–
–
–
–
File access
File reorganization
Data selection
Statistical functions
Arithmetical functions
1.6.15 Computer-assisted
Audit Techniques (continued)
Items to consider before utilizing CAATs:
• Ease of use for existing and future audit staff
• Training requirements
• Complexity of coding and maintenance
• Flexibility of uses
• Installation requirements
• Processing efficiencies
• Confidentiality of data being processed
1.6.15 Computer-assisted
Audit Techniques (continued)
Documentation that should be retained:
• Online reports
• Commented program listings
• Flowcharts
• Sample reports
• Record and file layouts
• Field definitions
• Operating instructions
• Description of applicable source documents
1.6.15 Computer-assisted
Audit Techniques (continued)
CAATs as a continuous online audit
approach:
• Improves audit efficiency
• IS auditors must:
– develop audit techniques for use with advanced
computerized systems
– be involved in the creation of advanced systems
– make greater use of automated tools
1.6.16 Evaluation of Audit
Strengths and Weaknesses
• Assess evidence
• Evaluate overall control structure
• Evaluate control procedures
• Assess control strengths and weaknesses
1.6.16 Evaluation of Audit
Strengths and Weaknesses (cont’d)
Judging materiality of findings
• Materiality is a key issue
• Assessment requires judgment of the potential
effect of the finding if corrective action is not
taken
1.6.17 Communicating Audit
Results
Exit interview
– Correct facts
– Realistic recommendations
– Implementation dates for agreed recommendations
Presentation techniques
– Executive summary
– Visual presentation
1.6.17 Communicating Audit
Results (continued)
Audit report structure and contents
• An introduction to the report
• Audit findings presented in separate sections
• The IS auditor’s overall conclusion and opinion
• The IS auditor’s reservations with respect to the
audit
• Detailed audit findings and recommendations
• A variety of findings
1.6.18 Management Implementation of
Recommendations
• Auditing is an ongoing process
• Timing of follow-up
1.6.19 Audit Documentation
Audit documentation includes:
• Planning and preparation of the audit scope and
objectives
• Description on the scoped audit area
• Audit program
• Audit steps performed and evidence gathered
• Other experts used
• Audit findings, conclusions and recommendations
1.7 Control Self-Assessment
• A management technique
• A methodology
• In practice, a series of tools
• Can be implemented by various methods
1.7 Control Self-Assessment
(continued)
Practice Question
1-7
Which of the following is MOST effective for
implementing a control self-assessment (CSA)
within business units?
A.
Informal peer reviews
B.
Facilitated workshops
C.
Process flow narratives
D.
Data flow diagrams
1.7.1 Objectives of CSA
• Leverage the internal audit function by shifting
some control monitoring responsibilities to
functional areas
• Enhancement of audit responsibilities, not a
replacement
• Educate management about control design and
monitoring
• Empowerment of workers to assess the control
environment
1.7.2 Benefits of CSA
• Early detection of risks
• More effective and improved internal controls
• Increased employee awareness of
organizational objectives
• Highly motivated employees
• Improved audit rating process
• Reduction in control cost
• Assurance provided to stakeholders and
customers
1.7.3 Disadvantages of CSA
• Could be mistaken as an audit function
replacement
• May be regarded as an additional workload
• Failure to act on improvement suggestions
could damage employee morale
• Lack of motivation may limit effectiveness in the
detection of weak controls
1.7.4 Auditor Role in CSA
• Internal control professionals
• Assessment facilitators
1.7.5 Technology Drivers for
CSA
• Combination of hardware and software
• Use of an electronic meeting system
• Computer-supported decision aids
• Group decision making is an essential
component
1.7.6 Traditional vs.
CSA Approach
• Traditional Approach
–
–
–
–
Assigns duties/supervises staff
Policy/rule driven
Limited employee participation
Narrow stakeholder focus
• CSA Approach
– Empowered/accountable employees
– Continuous improvement/learning curve
– Extensive employee participation and training
– Broad stakeholder focus
1.8.1 Integrated Auditing
Process whereby appropriate audit disciplines are
combined to assess key internal controls over an
operation, process or entity.
• Focuses on risk to the organization (for an
internal auditor)
• Focuses on the risk of providing an incorrect or
misleading audit opinion (for an external
auditor)
1.8.1 Integrated Auditing
(continued)
Process involves:
• Identification of risks faced by
organization and of relevant key
controls
• Review and understanding of
the design of key controls
• Testing that key controls are
supported by the IT system
• Testing that management
controls operate effectively
• A combined report or opinion on
control risks, design and
weaknesses
1.8.2 Continuous Auditing
• Distinctive character
– Short time lapse between the facts to be audited
and the collection of evidence and audit reporting
• Drivers
– Better monitoring of financial issues
– Allows real-time transactions to benefit from realtime monitoring
– Prevents financial fiascoes and audit scandals
– Uses software to determine proper financial controls
1.8.2 Continuous Auditing
(continued)
Continuous auditing vs. continuous monitoring
• Continuous monitoring
– Provided by IS management tools
– Based on automated procedures to meet fiduciary
responsibilities
• Continuous auditing
– Audit-driven
– Completed using automated audit procedures
1.8.2 Continuous Auditing
(continued)
Application of continuous auditing due to:
• New information technology developments
• Increased processing capabilities
• Standards
• Artificial intelligence tools
1.8.2 Continuous Auditing
(continued)
Prerequisites:
•
•
•
•
•
•
•
•
•
•
•
A high degree of automation
An automated and reliable information-producing process
Alarm triggers to report control failures
Implementation of automated audit tools
Quickly informing IS auditors of anomalies/errors
Timely issuance of automated audit reports
Technically proficient IS auditors
Availability of reliable sources of evidence
Adherence to materiality guidelines
Change of IS auditors’ mindset
Evaluation of cost factors
1.8.2 Continuous Auditing
(continued)
IT techniques in a continuous auditing environment:
• Transaction logging
• Query tools
• Statistics and data analysis (CAAT)
• Database management systems (DBMS)
• Data warehouses, data marts and data mining
• Intelligent agents
• Embedded audit modules (EAM)
• Neural network technology
• Standards such as Extensible Business Reporting Language
1.8.2 Continuous Auditing
(continued)
• Advantages
– Instant capture of internal control problems
– Reduction of intrinsic audit inefficiencies
• Disadvantages
– Difficulty in implementation
– High cost
– Elimination of auditors’ personal judgment and
evaluation
Practice Question
1-8
The FIRST step in planning an audit is to:
A.
define audit deliverables.
B.
finalize the audit scope and audit objectives
C.
gain an understanding of the business’s objectives.
D.
develop the audit approach or audit strategy.
Practice Question
1-9
The approach an IS auditor should use to plan IS
audit coverage should be based on:
A.
risk.
B.
materiality.
C.
professional skepticism.
D.
detective control.
Practice Question
1-10 A company performs a daily backup of critical data
and software files and stores the backup tapes at an
offsite location. The backup tapes are used to restore
the files in case of a disruption. This is a:
A.
preventive control.
B.
management control.
C.
corrective control.
D.
detective control.
1.9.1 Case Study A Scenario
The IS auditor has been asked to perform preliminary work that will assess
the readiness of the organization for a review to measure compliance with
new regulatory requirements. These requirements are designed to ensure
that management is taking an active role in setting up and maintaining a
well-controlled environment and, accordingly, will assess management’s
review and testing of the general IT control environment.
Areas to be assessed include logical and physical security, change
management, production control and network management, IT
governance, and end-user computing. The IS auditor has been given six
months to perform this preliminary work, so sufficient time should be
available. It should be noted that in previous years, repeated problems
have been identified in the areas of logical security and change
management, so these areas will most likely require some degree of
remediation.
1.9.1 Case Study A Scenario
(continued)
Logical security deficiencies noted included the sharing of administrator
accounts and failure to enforce adequate controls over passwords.
Change management deficiencies included improper segregation of
incompatible duties and failure to document all changes. Additionally, the
process for deploying operating system updates to servers was found to
be only partially effective.
In anticipation of the work to be performed by the IS auditor, the chief
information officer (CIO) requested direct reports to develop narratives and
process flows describing the major activities for which IT is responsible.
These were completed, approved by the various process owners and the
CIO, and then forwarded to the IS auditor for examination.
Case Study A Question
1.
What should the IS auditor do FIRST?
A.
Perform an IT risk assessment.
B.
Perform a survey audit of logical access controls.
C.
Revise the audit plan to focus on risk-based auditing.
D.
Begin testing controls that the IS auditor feels are most
critical.
Case Study A Question
2.
When testing program change management, how
should the sample be selected?
A.
Change management documents should be selected at
random and examined for appropriateness.
B.
Changes to production code should be sampled and
traced to appropriate authorizing documentation.
C.
Change management documents should be selected
based on system criticality and examined for
appropriateness.
D.
Changes to production code should be sampled and
traced back to system-produced logs indicating the date
and time of the change.
1.9.2 Case Study B Scenario
An IS auditor is planning to review the security of
a financial application for a large company with
several locations worldwide. The application
system is made up of a web interface, a business
logic layer and a database layer. The application
is accessed locally through a LAN and remotely
through the Internet via a virtual private network
(VPN) connection.
Case Study B Question
1.
The MOST appropriate type of CAATs tool the
auditor should use to test security configuration
settings for the entire application system is:
A.
generalized audit software.
B.
test data.
C.
utility software.
D.
expert system.
Case Study B Question
2.
Given that the application is accessed through the
Internet, how should the auditor determine whether
to perform a detailed review of the firewall rules and
virtual private network (VPN) configuration settings?
A.
Documented risk analysis
B.
Availability of technical expertise
C.
Approach used in previous audit
D.
IS auditing guidelines and best practices
Case Study B Question
3.
During the review, if the auditor detects that the
transaction authorization control objective cannot be
met due to a lack of clearly defined roles and
privileges in the application, the auditor should FIRST:
A.
review the authorization on a sample of transactions.
B.
immediately report this finding to upper management.
C.
request that auditee management review the
appropriateness of access rights for all users.
D.
use a generalized audit software to check the integrity of
the database.
1.9.3 Case Study C Scenario
An IS auditor has been appointed to carry out IS audits in an
entity for a period of 2 years. After accepting the appointment,
the IS auditor noted that:
– The entity has an audit charter that detailed, among other things,
the scope and responsibilities of the IS audit function and
specifies the audit committee as the overseeing body for audit
activity.
– The entity is planning a major increase in IT investment, mainly
on account of implementation of a new ERP application,
integrating business processes across units dispersed
geographically. The ERP implementation is expected to become
operational within the next 90 days. The servers supporting the
business applications are hosted offsite by a third-party service
provider.
1.9.3 Case Study C Scenario
(continued)
– The entity has a new incumbent as chief information security
officer (CISO), who reports to the chief financial officer (CFO).
– The entity is subject to regulatory compliance requirements that
require its management to certify the effectiveness of the internal
control system as it relates to financial reporting. The entity has
been recording growth at double the industry average
consistently over the last two years. However, the entity has
seen increased employee turnover as well.
Case Study C Question
1.
The FIRST priority of the IS auditor in year 1 should
be to study the:
A.
previous IS audit reports and plan the audit schedule.
B.
audit charter and plan the audit schedule.
C.
impact of the new incumbent as CISO.
D.
impact of the implementation of a new ERP on the IT
environment and plan the audit schedule.
Case Study C Question
2.
How should the IS auditor evaluate backup and
batch processing within computer operations?
A.
Plan and carry out an independent review of computer
operations.
B.
Rely on the service auditor’s report of the service
provider.
C.
Study the contract between the entity and the service
provider.
D.
Compare the service delivery report to the service level
agreement.
Conclusion
• Chapter 1 Quick Reference Review
– Page 33 of CISA Review Manual 2012